CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
[platform/upstream/glibc.git] / iconvdata / ibm933.c
1 /* Conversion from and to IBM933.
2    Copyright (C) 2000-2014 Free Software Foundation, Inc.
3    This file is part of the GNU C Library.
4    Contributed by Masahide Washizawa <washi@yamato.ibm.co.jp>, 2000.
5
6    The GNU C Library is free software; you can redistribute it and/or
7    modify it under the terms of the GNU Lesser General Public
8    License as published by the Free Software Foundation; either
9    version 2.1 of the License, or (at your option) any later version.
10
11    The GNU C Library is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14    Lesser General Public License for more details.
15
16    You should have received a copy of the GNU Lesser General Public
17    License along with the GNU C Library; if not, see
18    <http://www.gnu.org/licenses/>.  */
19
20 #include <dlfcn.h>
21 #include <stdint.h>
22 #include <wchar.h>
23 #include <byteswap.h>
24 #include "ibm933.h"
25
26 /* The shift sequences for this charset (it does not use ESC).  */
27 #define SI              0x0F  /* Shift In, host code to turn DBCS off.  */
28 #define SO              0x0E  /* Shift Out, host code to turn DBCS on.  */
29
30 /* Definitions used in the body of the `gconv' function.  */
31 #define CHARSET_NAME    "IBM933//"
32 #define FROM_LOOP       from_ibm933
33 #define TO_LOOP         to_ibm933
34 #define ONE_DIRECTION                   0
35 #define FROM_LOOP_MIN_NEEDED_FROM       1
36 #define FROM_LOOP_MAX_NEEDED_FROM       2
37 #define FROM_LOOP_MIN_NEEDED_TO         4
38 #define FROM_LOOP_MAX_NEEDED_TO         4
39 #define TO_LOOP_MIN_NEEDED_FROM         4
40 #define TO_LOOP_MAX_NEEDED_FROM         4
41 #define TO_LOOP_MIN_NEEDED_TO           1
42 #define TO_LOOP_MAX_NEEDED_TO           3
43 #define PREPARE_LOOP \
44   int save_curcs;                                                             \
45   int *curcsp = &data->__statep->__count;
46 #define EXTRA_LOOP_ARGS         , curcsp
47
48 /* Definitions of initialization and destructor function.  */
49 #define DEFINE_INIT     1
50 #define DEFINE_FINI     1
51
52
53 /* Since this is a stateful encoding we have to provide code which resets
54    the output state to the initial state.  This has to be done during the
55    flushing.  */
56 #define EMIT_SHIFT_TO_INIT \
57   if ((data->__statep->__count & ~7) != sb)                                   \
58     {                                                                         \
59       if (FROM_DIRECTION)                                                     \
60         data->__statep->__count &= 7;                                         \
61       else                                                                    \
62         {                                                                     \
63           /* We are not in the initial state.  To switch back we have         \
64              to emit `SI'.  */                                                \
65           if (__glibc_unlikely (outbuf >= outend))                            \
66             /* We don't have enough room in the output buffer.  */            \
67             status = __GCONV_FULL_OUTPUT;                                     \
68           else                                                                \
69             {                                                                 \
70               /* Write out the shift sequence.  */                            \
71               *outbuf++ = SI;                                                 \
72               data->__statep->__count &= 7;                                   \
73             }                                                                 \
74         }                                                                     \
75     }
76
77
78 /* Since we might have to reset input pointer we must be able to save
79    and retore the state.  */
80 #define SAVE_RESET_STATE(Save) \
81   if (Save)                                                                   \
82     save_curcs = *curcsp;                                                     \
83   else                                                                        \
84     *curcsp = save_curcs
85
86
87 /* Current codeset type.  */
88 enum
89 {
90   sb = 0,
91   db = 64
92 };
93
94 /* First, define the conversion function from IBM-933 to UCS4.  */
95 #define MIN_NEEDED_INPUT        FROM_LOOP_MIN_NEEDED_FROM
96 #define MAX_NEEDED_INPUT        FROM_LOOP_MAX_NEEDED_FROM
97 #define MIN_NEEDED_OUTPUT       FROM_LOOP_MIN_NEEDED_TO
98 #define MAX_NEEDED_OUTPUT       FROM_LOOP_MAX_NEEDED_TO
99 #define LOOPFCT                 FROM_LOOP
100 #define BODY \
101   {                                                                           \
102     uint32_t ch = *inptr;                                                     \
103     uint32_t res;                                                             \
104                                                                               \
105     if (__builtin_expect (ch, 0) == SO)                                       \
106       {                                                                       \
107         /* Shift OUT, change to DBCS converter.  */                           \
108         if (curcs == db)                                                      \
109           {                                                                   \
110             result = __GCONV_ILLEGAL_INPUT;                                   \
111             break;                                                            \
112           }                                                                   \
113         curcs = db;                                                           \
114         ++inptr;                                                              \
115         continue;                                                             \
116       }                                                                       \
117     else if (__builtin_expect (ch, 0) == SI)                                  \
118       {                                                                       \
119         /* Shift IN, change to SBCS converter.  */                            \
120         if (curcs == sb)                                                      \
121           {                                                                   \
122             result = __GCONV_ILLEGAL_INPUT;                                   \
123             break;                                                            \
124           }                                                                   \
125         curcs = sb;                                                           \
126         ++inptr;                                                              \
127         continue;                                                             \
128       }                                                                       \
129                                                                               \
130     if (curcs == sb)                                                          \
131       {                                                                       \
132         /* Use the IBM933 table for single byte.  */                          \
133         res = __ibm933sb_to_ucs4[ch];                                         \
134         if (__builtin_expect (res, L'\1') == L'\0' && ch != '\0')             \
135           {                                                                   \
136             /* This is an illegal character.  */                              \
137             STANDARD_FROM_LOOP_ERR_HANDLER (1);                               \
138           }                                                                   \
139         else                                                                  \
140           {                                                                   \
141             put32 (outptr, res);                                              \
142             outptr += 4;                                                      \
143           }                                                                   \
144         ++inptr;                                                              \
145       }                                                                       \
146     else                                                                      \
147       {                                                                       \
148         const struct gap *rp2 = __ibm933db_to_ucs4_idx;                       \
149                                                                               \
150         assert (curcs == db);                                                 \
151                                                                               \
152         /* Use the IBM933 table for double byte.  */                          \
153         if (__glibc_unlikely (inptr + 1 >= inend))                            \
154           {                                                                   \
155             /* The second character is not available.  Store the              \
156                intermediate result. */                                        \
157             result = __GCONV_INCOMPLETE_INPUT;                                \
158             break;                                                            \
159           }                                                                   \
160                                                                               \
161         ch = (ch * 0x100) + inptr[1];                                         \
162         while (ch > rp2->end)                                                 \
163           ++rp2;                                                              \
164                                                                               \
165         if (__builtin_expect (rp2->start == 0xffff, 0)                        \
166             || __builtin_expect (ch < rp2->start, 0)                          \
167             || (res = __ibm933db_to_ucs4[ch + rp2->idx],                      \
168                 __builtin_expect (res, L'\1') == L'\0' && ch != '\0'))        \
169           {                                                                   \
170             /* This is an illegal character.  */                              \
171             STANDARD_FROM_LOOP_ERR_HANDLER (2);                               \
172           }                                                                   \
173         else                                                                  \
174           {                                                                   \
175             put32 (outptr, res);                                              \
176             outptr += 4;                                                      \
177             inptr += 2;                                                       \
178           }                                                                   \
179       }                                                                       \
180   }
181 #define LOOP_NEED_FLAGS
182 #define EXTRA_LOOP_DECLS        , int *curcsp
183 #define INIT_PARAMS             int curcs = *curcsp & ~7
184 #define UPDATE_PARAMS           *curcsp = curcs
185 #include <iconv/loop.c>
186
187 /* Next, define the other direction.  */
188 #define MIN_NEEDED_INPUT        TO_LOOP_MIN_NEEDED_FROM
189 #define MAX_NEEDED_INPUT        TO_LOOP_MAX_NEEDED_FROM
190 #define MIN_NEEDED_OUTPUT       TO_LOOP_MIN_NEEDED_TO
191 #define MAX_NEEDED_OUTPUT       TO_LOOP_MAX_NEEDED_TO
192 #define LOOPFCT                 TO_LOOP
193 #define BODY \
194   {                                                                           \
195     uint32_t ch = get32 (inptr);                                              \
196     const struct gap *rp1 = __ucs4_to_ibm933sb_idx;                           \
197     const struct gap *rp2 = __ucs4_to_ibm933db_idx;                           \
198     const char *cp;                                                           \
199                                                                               \
200     if (__glibc_unlikely (ch >= 0xffff))                                      \
201       {                                                                       \
202         UNICODE_TAG_HANDLER (ch, 4);                                          \
203                                                                               \
204         STANDARD_TO_LOOP_ERR_HANDLER (4);                                     \
205       }                                                                       \
206                                                                               \
207     while (ch > rp1->end)                                                     \
208       ++rp1;                                                                  \
209                                                                               \
210     /* Use the UCS4 table for single byte.  */                                \
211     if (__builtin_expect (ch < rp1->start, 0)                                 \
212         || (cp = __ucs4_to_ibm933sb[ch + rp1->idx],                           \
213             __builtin_expect (cp[0], L'\1') == L'\0' && ch != '\0'))          \
214       {                                                                       \
215         /* Use the UCS4 table for double byte.  */                            \
216         while (ch > rp2->end)                                                 \
217           ++rp2;                                                              \
218                                                                               \
219         if (__builtin_expect (ch < rp2->start, 0)                             \
220             || (cp = __ucs4_to_ibm933db[ch + rp2->idx],                       \
221                 __builtin_expect (cp[0], L'\1')==L'\0' && ch != '\0'))        \
222           {                                                                   \
223             /* This is an illegal character.  */                              \
224             STANDARD_TO_LOOP_ERR_HANDLER (4);                                 \
225           }                                                                   \
226         else                                                                  \
227           {                                                                   \
228             if (curcs == sb)                                                  \
229               {                                                               \
230                 if (__glibc_unlikely (outptr + 1 > outend))                   \
231                   {                                                           \
232                     result = __GCONV_FULL_OUTPUT;                             \
233                     break;                                                    \
234                   }                                                           \
235                 *outptr++ = SO;                                               \
236                 curcs = db;                                                   \
237               }                                                               \
238                                                                               \
239             if (__glibc_unlikely (outptr + 2 > outend))                       \
240               {                                                               \
241                 result = __GCONV_FULL_OUTPUT;                                 \
242                 break;                                                        \
243               }                                                               \
244             *outptr++ = cp[0];                                                \
245             *outptr++ = cp[1];                                                \
246           }                                                                   \
247       }                                                                       \
248     else                                                                      \
249       {                                                                       \
250         if (curcs == db)                                                      \
251           {                                                                   \
252             if (__glibc_unlikely (outptr + 1 > outend))                       \
253               {                                                               \
254                 result = __GCONV_FULL_OUTPUT;                                 \
255                 break;                                                        \
256               }                                                               \
257             *outptr++ = SI;                                                   \
258           }                                                                   \
259                                                                               \
260         if (__glibc_unlikely (outptr + 1 > outend))                           \
261           {                                                                   \
262             result = __GCONV_FULL_OUTPUT;                                     \
263             break;                                                            \
264           }                                                                   \
265         *outptr++ = cp[0];                                                    \
266         curcs = sb;                                                           \
267       }                                                                       \
268                                                                               \
269     /* Now that we wrote the output increment the input pointer.  */          \
270     inptr += 4;                                                               \
271   }
272 #define LOOP_NEED_FLAGS
273 #define EXTRA_LOOP_DECLS        , int *curcsp
274 #define INIT_PARAMS             int curcs = *curcsp & ~7
275 #define REINIT_PARAMS           curcs = *curcsp & ~7
276 #define UPDATE_PARAMS           *curcsp = curcs
277 #include <iconv/loop.c>
278
279 /* Now define the toplevel functions.  */
280 #include <iconv/skeleton.c>