[PATCH] Fix buffer overrun in EUC-KR conversion module (bug 24973)

[PATCH] Fix buffer overrun in EUC-KR conversion module (bug 24973)

[Andreas Schwab]

The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed.  The from_euc_kr function used to skip two bytes
when told to skip over the invalid byte, potentially running over the
buffer end.

	[BZ #24973]
	* iconvdata/euc-kr.c (BODY for FROM_LOOP): Skip only one byte when
	encountering 0xfe.
	* iconv/Makefile (tests): Add tst-iconv8.
	* iconv/tst-iconv8.c: New file.
---
 iconv/Makefile     |  2 +-
 iconv/tst-iconv8.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++
 iconvdata/euc-kr.c |  2 +-
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 iconv/tst-iconv8.c

diff --git a/iconv/Makefile b/iconv/Makefile
index b7a8f5e0d4..62bbd4e872 100644
--- a/iconv/Makefile
+++ b/iconv/Makefile
@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
 CFLAGS-simple-hash.c += -I../locale
 
 tests	= tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
-	  tst-iconv7 tst-iconv-mt
+	  tst-iconv7 tst-iconv8 tst-iconv-mt
 
 others		= iconv_prog iconvconfig
 install-others-programs	= $(inst_bindir)/iconv
diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
new file mode 100644
index 0000000000..64bf863cd7
--- /dev/null
+++ b/iconv/tst-iconv8.c
@@ -0,0 +1,49 @@
+/* Test EUC-KR module
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Derived from BZ #24973 */
+#include <errno.h>
+#include <iconv.h>
+#include <stdio.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+  /* 0xfe (->0x7e : row 94) is a user-defined area. It is not allowed and
+     should be skipped over due to //IGNORE.  */
+  char input[2] = { '\0', '\xfe' };
+  char *inptr = input;
+  size_t insize = sizeof (input);
+  char output[4];
+  char *outptr = output;
+  size_t outsize = sizeof (output);
+
+  /* This used to crash due to buffer overrun.  */
+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
+  TEST_VERIFY (errno == EILSEQ);
+
+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
index 379414c426..167a554719 100644
--- a/iconvdata/euc-kr.c
+++ b/iconvdata/euc-kr.c
@@ -83,7 +83,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
     /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
        user-defined areas.  */						      \
     else if (__builtin_expect (ch == 0xa0, 0)				      \
-	     || __builtin_expect (ch > 0xfe, 0)				      \
+	     || __builtin_expect (ch >= 0xfe, 0)			      \
 	     || __builtin_expect (ch == 0xc9, 0))			      \
       {									      \
 	/* This is illegal.  */						      \
-- 
2.23.0


-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Re: [PATCH] Fix buffer overrun in EUC-KR conversion module (bug 24973)

[Adhemerval Zanella]

On 09/09/2019 12:58, Andreas Schwab wrote:
> diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
> index 379414c426..167a554719 100644
> --- a/iconvdata/euc-kr.c
> +++ b/iconvdata/euc-kr.c
> @@ -83,7 +83,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
>      /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
>         user-defined areas.  */						      \
>      else if (__builtin_expect (ch == 0xa0, 0)				      \
> -	     || __builtin_expect (ch > 0xfe, 0)				      \
> +	     || __builtin_expect (ch >= 0xfe, 0)			      \
>  	     || __builtin_expect (ch == 0xc9, 0))			      \
>        {									      \
>  	/* This is illegal.  */						      \
> 

We should aim to use __glibc_{un}likely for new code.

[PATCH v2] Fix buffer overrun in EUC-KR conversion module (bug 24973)

[Andreas Schwab]

The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed.  The from_euc_kr function used to skip two bytes
when told to skip over the unknown designation, potentially running over
the buffer end.

	[BZ #24973]
	* iconvdata/ksc5601.h (ksc5601_to_ucs4): Check for available bytes
	first.
	* iconvdata/euc-kr.c (BODY for FROM_LOOP): Don't check for unknown
	two-byte codes here.
	* iconvdata/Makefile (tests): Add bug-iconv13.
	* iconvdata/bug-iconv13.c: New file.
---
 iconvdata/Makefile      |  2 +-
 iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
 iconvdata/euc-kr.c      |  6 +----
 iconvdata/ksc5601.h     |  6 ++---
 4 files changed, 58 insertions(+), 9 deletions(-)
 create mode 100644 iconvdata/bug-iconv13.c

diff --git a/iconvdata/Makefile b/iconvdata/Makefile
index 763ef05389..5dac816857 100644
--- a/iconvdata/Makefile
+++ b/iconvdata/Makefile
@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules))
 ifeq (yes,$(build-shared))
 tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
 	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
-	bug-iconv10 bug-iconv11 bug-iconv12
+	bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
 ifeq ($(have-thread-library),yes)
 tests += bug-iconv3
 endif
diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c
new file mode 100644
index 0000000000..e879e4fe14
--- /dev/null
+++ b/iconvdata/bug-iconv13.c
@@ -0,0 +1,53 @@
+/* bug 24973: Test EUC-KR module
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <iconv.h>
+#include <stdio.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+  /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
+     areas, which are not allowed and should be skipped over due to
+     //IGNORE.  The trailing 0xfe also is an incomplete sequence, which
+     should be checked first.  */
+  char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
+  char *inptr = input;
+  size_t insize = sizeof (input);
+  char output[4];
+  char *outptr = output;
+  size_t outsize = sizeof (output);
+
+  /* This used to crash due to buffer overrun.  */
+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
+  TEST_VERIFY (errno == EINVAL);
+  /* The conversion should produce one character, the converted null
+     character.  */
+  TEST_VERIFY (sizeof (output) - outsize == 1);
+
+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
index 379414c426..54ab362e8e 100644
--- a/iconvdata/euc-kr.c
+++ b/iconvdata/euc-kr.c
@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
 									      \
     if (ch <= 0x9f)							      \
       ++inptr;								      \
-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
-       user-defined areas.  */						      \
-    else if (__builtin_expect (ch == 0xa0, 0)				      \
-	     || __builtin_expect (ch > 0xfe, 0)				      \
-	     || __builtin_expect (ch == 0xc9, 0))			      \
+    else if (__glibc_unlikely (ch == 0xa0))				      \
       {									      \
 	/* This is illegal.  */						      \
 	STANDARD_FROM_LOOP_ERR_HANDLER (1);				      \
diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
index 5582cc8deb..c3c39661d5 100644
--- a/iconvdata/ksc5601.h
+++ b/iconvdata/ksc5601.h
@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
   unsigned char ch2;
   int idx;
 
+  if (avail < 2)
+    return 0;
+
   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
 
   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
       || (ch - offset) == 0x49)
     return __UNKNOWN_10646_CHAR;
 
-  if (avail < 2)
-    return 0;
-
   ch2 = (*s)[1];
   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
     return __UNKNOWN_10646_CHAR;
-- 
2.23.0


-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."