projects / platform / core / base / tizen-locale.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c29d143)
[CVE-2019-25013] Fix buffer overrun in EUC-KR conversion module (bz #24973) 06/252506/1 accepted/tizen_6.0_unified tizen_6.0 accepted/tizen/6.0/unified/20210311.081910 accepted/tizen/unified/20210201.055358 submit/tizen/20210129.052042 submit/tizen_6.0/20210310.051123
authorAndreas Schwab <schwab@suse.de>
Mon, 21 Dec 2020 03:26:43 +0000 (08:56 +0530)
committerDongHun Kwak <dh0128.kwak@samsung.com>
Fri, 29 Jan 2021 05:01:00 +0000 (14:01 +0900)
The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed.  The from_euc_kr function used to skip two bytes
when told to skip over the unknown designation, potentially running over
the buffer end.

Change-Id: I832212c1293fab982b2811fc6111575d0f7089fb
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
iconvdata/euc-kr.c patch | blob | history
iconvdata/ksc5601.h patch | blob | history

diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
index 552b8f541170e3baa5871cded2351070bedc91b6..5ec9647204cd0c0697e1df72f8097bf069d53217 100644 (file)
--- a/iconvdata/euc-kr.c
+++ b/iconvdata/euc-kr.c
@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
                                                                              \
     if (ch <= 0x9f)                                                          \
       ++inptr;                                                               \
-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are                   \
-       user-defined areas.  */                                               \
-    else if (__builtin_expect (ch == 0xa0, 0)                                \
-            || __builtin_expect (ch > 0xfe, 0)                               \
-            || __builtin_expect (ch == 0xc9, 0))                             \
+      else if (__glibc_unlikely (ch == 0xa0))     \
       {                                                                              \
        /* This is illegal.  */                                               \
        STANDARD_FROM_LOOP_ERR_HANDLER (1);                                   \
diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
index 1b9ea4a58492993ed9aab1f7920d01fd5abc371c..53b69584c57581dcb4fd19549069b4b927af9b03 100644 (file)
--- a/iconvdata/ksc5601.h
+++ b/iconvdata/ksc5601.h
@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
   unsigned char ch2;
   int idx;
 
+  if (avail < 2)
+    return 0;
+
   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
 
   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
       || (ch - offset) == 0x49)
     return __UNKNOWN_10646_CHAR;
 
-  if (avail < 2)
-    return 0;
-
   ch2 = (*s)[1];
   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
     return __UNKNOWN_10646_CHAR;
Domain: System / Toolchain;