Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib/libc/gen PR/56260: Alex Richardson: Out-of-bounds stack ...
details: https://anonhg.NetBSD.org/src/rev/2a55fc1b8bad
branches: trunk
changeset: 984009:2a55fc1b8bad
user: christos <christos%NetBSD.org@localhost>
date: Fri Jun 18 10:57:14 2021 +0000
description:
PR/56260: Alex Richardson: Out-of-bounds stack read in lib/libc/gen/vis.c
Also sync with other FreeBSD changes.
diffstat:
lib/libc/gen/vis.c | 17 ++++++++++++-----
1 files changed, 12 insertions(+), 5 deletions(-)
diffs (69 lines):
diff -r 980513ccac29 -r 2a55fc1b8bad lib/libc/gen/vis.c
--- a/lib/libc/gen/vis.c Fri Jun 18 06:34:00 2021 +0000
+++ b/lib/libc/gen/vis.c Fri Jun 18 10:57:14 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vis.c,v 1.74 2017/11/27 16:37:21 christos Exp $ */
+/* $NetBSD: vis.c,v 1.75 2021/06/18 10:57:14 christos Exp $ */
/*-
* Copyright (c) 1989, 1993
@@ -57,7 +57,7 @@
#include <sys/cdefs.h>
#if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: vis.c,v 1.74 2017/11/27 16:37:21 christos Exp $");
+__RCSID("$NetBSD: vis.c,v 1.75 2021/06/18 10:57:14 christos Exp $");
#endif /* LIBC_SCCS and not lint */
#ifdef __FBSDID
__FBSDID("$FreeBSD$");
@@ -353,12 +353,15 @@
wchar_t *dst, *d;
size_t len;
const wchar_t *s;
+ mbstate_t mbstate;
len = strlen(src);
if ((dst = calloc(len + MAXEXTRAS, sizeof(*dst))) == NULL)
return NULL;
- if ((flags & VIS_NOLOCALE) || mbstowcs(dst, src, len) == (size_t)-1) {
+ memset(&mbstate, 0, sizeof(mbstate));
+ if ((flags & VIS_NOLOCALE)
+ || mbsrtowcs(dst, &src, len, &mbstate) == (size_t)-1) {
size_t i;
for (i = 0; i < len; i++)
dst[i] = (wchar_t)(u_char)src[i];
@@ -401,6 +404,7 @@
int clen = 0, cerr, error = -1, i, shft;
char *mbdst, *mdst;
ssize_t mbslength, maxolen;
+ mbstate_t mbstate;
_DIAGASSERT(mbdstp != NULL);
_DIAGASSERT(mbsrc != NULL || mblength == 0);
@@ -458,10 +462,12 @@
* stop at NULs because we may be processing a block of data
* that includes NULs.
*/
+ memset(&mbstate, 0, sizeof(mbstate));
while (mbslength > 0) {
/* Convert one multibyte character to wchar_t. */
if (!cerr)
- clen = mbtowc(src, mbsrc, MB_LEN_MAX);
+ clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX),
+ &mbstate);
if (cerr || clen < 0) {
/* Conversion error, process as a byte instead. */
*src = (wint_t)(u_char)*mbsrc;
@@ -534,9 +540,10 @@
len = wcslen(start);
maxolen = dlen ? *dlen : (wcslen(start) * MB_LEN_MAX + 1);
olen = 0;
+ memset(&mbstate, 0, sizeof(mbstate));
for (dst = start; len > 0; len--) {
if (!cerr)
- clen = wctomb(mbdst, *dst);
+ clen = wcrtomb(mbdst, *dst, &mbstate);
if (cerr || clen < 0) {
/*
* Conversion error, process as a byte(s) instead.
Home |
Main Index |
Thread Index |
Old Index