Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/lib/libc/gen PR/56260: Alex Richardson: Out-of-bounds stack ...



details:   https://anonhg.NetBSD.org/src/rev/2a55fc1b8bad
branches:  trunk
changeset: 984009:2a55fc1b8bad
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Jun 18 10:57:14 2021 +0000

description:
PR/56260: Alex Richardson: Out-of-bounds stack read in lib/libc/gen/vis.c
Also sync with other FreeBSD changes.

diffstat:

 lib/libc/gen/vis.c |  17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diffs (69 lines):

diff -r 980513ccac29 -r 2a55fc1b8bad lib/libc/gen/vis.c
--- a/lib/libc/gen/vis.c        Fri Jun 18 06:34:00 2021 +0000
+++ b/lib/libc/gen/vis.c        Fri Jun 18 10:57:14 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vis.c,v 1.74 2017/11/27 16:37:21 christos Exp $        */
+/*     $NetBSD: vis.c,v 1.75 2021/06/18 10:57:14 christos Exp $        */
 
 /*-
  * Copyright (c) 1989, 1993
@@ -57,7 +57,7 @@
 
 #include <sys/cdefs.h>
 #if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: vis.c,v 1.74 2017/11/27 16:37:21 christos Exp $");
+__RCSID("$NetBSD: vis.c,v 1.75 2021/06/18 10:57:14 christos Exp $");
 #endif /* LIBC_SCCS and not lint */
 #ifdef __FBSDID
 __FBSDID("$FreeBSD$");
@@ -353,12 +353,15 @@
        wchar_t *dst, *d;
        size_t len;
        const wchar_t *s;
+       mbstate_t mbstate;
 
        len = strlen(src);
        if ((dst = calloc(len + MAXEXTRAS, sizeof(*dst))) == NULL)
                return NULL;
 
-       if ((flags & VIS_NOLOCALE) || mbstowcs(dst, src, len) == (size_t)-1) {
+       memset(&mbstate, 0, sizeof(mbstate));
+       if ((flags & VIS_NOLOCALE)
+           || mbsrtowcs(dst, &src, len, &mbstate) == (size_t)-1) {
                size_t i;
                for (i = 0; i < len; i++)
                        dst[i] = (wchar_t)(u_char)src[i];
@@ -401,6 +404,7 @@
        int clen = 0, cerr, error = -1, i, shft;
        char *mbdst, *mdst;
        ssize_t mbslength, maxolen;
+       mbstate_t mbstate;
 
        _DIAGASSERT(mbdstp != NULL);
        _DIAGASSERT(mbsrc != NULL || mblength == 0);
@@ -458,10 +462,12 @@
         * stop at NULs because we may be processing a block of data
         * that includes NULs.
         */
+       memset(&mbstate, 0, sizeof(mbstate));
        while (mbslength > 0) {
                /* Convert one multibyte character to wchar_t. */
                if (!cerr)
-                       clen = mbtowc(src, mbsrc, MB_LEN_MAX);
+                       clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX),
+                           &mbstate);
                if (cerr || clen < 0) {
                        /* Conversion error, process as a byte instead. */
                        *src = (wint_t)(u_char)*mbsrc;
@@ -534,9 +540,10 @@
        len = wcslen(start);
        maxolen = dlen ? *dlen : (wcslen(start) * MB_LEN_MAX + 1);
        olen = 0;
+       memset(&mbstate, 0, sizeof(mbstate));
        for (dst = start; len > 0; len--) {
                if (!cerr)
-                       clen = wctomb(mbdst, *dst);
+                       clen = wcrtomb(mbdst, *dst, &mbstate);
                if (cerr || clen < 0) {
                        /*
                         * Conversion error, process as a byte(s) instead.



Home | Main Index | Thread Index | Old Index