git: 5d10ed57e655 - stable/13 - libc: Fix "harmless" iconv one-byte overread
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 25 Jan 2022 01:40:14 UTC
The branch stable/13 has been updated by jrtc27:
URL: https://cgit.FreeBSD.org/src/commit/?id=5d10ed57e655a2d5923f243955291da219c07a42
commit 5d10ed57e655a2d5923f243955291da219c07a42
Author: Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2021-12-21 22:47:38 +0000
Commit: Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2022-01-24 23:59:47 +0000
libc: Fix "harmless" iconv one-byte overread
Checking there are still bytes left must be done before dereferencing
the pointer, not the other way round. This is harmless on traditional
architectures since the result will immediately be thrown away, and all
callers are in separate translation units so there is no potential for
optimising based on this out-of-bounds read. However, on CHERI, pointers
are bounded, and so this will trap if fed a string that does not have a
NUL within the first len bytes.
Found by: CHERI
Reviewed by: brooks
(cherry picked from commit 6d5297569e70eb71eeb7ae5278a165d4ffb50874)
---
lib/libc/iconv/citrus_bcs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/libc/iconv/citrus_bcs.c b/lib/libc/iconv/citrus_bcs.c
index b8484a0d793e..cd88ea7fe2fd 100644
--- a/lib/libc/iconv/citrus_bcs.c
+++ b/lib/libc/iconv/citrus_bcs.c
@@ -109,7 +109,7 @@ const char *
_citrus_bcs_skip_ws_len(const char * __restrict p, size_t * __restrict len)
{
- while (*p && *len > 0 && _bcs_isspace(*p)) {
+ while (*len > 0 && *p && _bcs_isspace(*p)) {
p++;
(*len)--;
}
@@ -124,7 +124,7 @@ const char *
_citrus_bcs_skip_nonws_len(const char * __restrict p, size_t * __restrict len)
{
- while (*p && *len > 0 && !_bcs_isspace(*p)) {
+ while (*len > 0 && *p && !_bcs_isspace(*p)) {
p++;
(*len)--;
}