git: 6d5297569e70 - main - libc: Fix "harmless" iconv one-byte overread
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 21 Dec 2021 22:52:00 UTC
The branch main has been updated by jrtc27:
URL: https://cgit.FreeBSD.org/src/commit/?id=6d5297569e70eb71eeb7ae5278a165d4ffb50874
commit 6d5297569e70eb71eeb7ae5278a165d4ffb50874
Author: Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2021-12-21 22:47:38 +0000
Commit: Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2021-12-21 22:47:38 +0000
libc: Fix "harmless" iconv one-byte overread
Checking there are still bytes left must be done before dereferencing
the pointer, not the other way round. This is harmless on traditional
architectures since the result will immediately be thrown away, and all
callers are in separate translation units so there is no potential for
optimising based on this out-of-bounds read. However, on CHERI, pointers
are bounded, and so this will trap if fed a string that does not have a
NUL within the first len bytes.
Found by: CHERI
Reviewed by: brooks
---
lib/libc/iconv/citrus_bcs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/libc/iconv/citrus_bcs.c b/lib/libc/iconv/citrus_bcs.c
index b8484a0d793e..cd88ea7fe2fd 100644
--- a/lib/libc/iconv/citrus_bcs.c
+++ b/lib/libc/iconv/citrus_bcs.c
@@ -109,7 +109,7 @@ const char *
_citrus_bcs_skip_ws_len(const char * __restrict p, size_t * __restrict len)
{
- while (*p && *len > 0 && _bcs_isspace(*p)) {
+ while (*len > 0 && *p && _bcs_isspace(*p)) {
p++;
(*len)--;
}
@@ -124,7 +124,7 @@ const char *
_citrus_bcs_skip_nonws_len(const char * __restrict p, size_t * __restrict len)
{
- while (*p && *len > 0 && !_bcs_isspace(*p)) {
+ while (*len > 0 && *p && !_bcs_isspace(*p)) {
p++;
(*len)--;
}