This is the mail archive of the
mailing list for the glibc project.
[Bug locale/19418] New: iconv should stop reading from 'inbuf' when 'outbytesleft' is zero
- From: "heiko at hexco dot de" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 30 Dec 2015 14:51:47 +0000
- Subject: [Bug locale/19418] New: iconv should stop reading from 'inbuf' when 'outbytesleft' is zero
- Auto-submitted: auto-generated
Bug ID: 19418
Summary: iconv should stop reading from 'inbuf' when
'outbytesleft' is zero
Assignee: unassigned at sourceware dot org
Reporter: heiko at hexco dot de
Target Milestone: ---
Created attachment 8871
test programm that demonstrates that iconv reads from inbuf even if
outbytesleft == 0
Quote from the opengroup description
If the output buffer is not large enough to hold the entire converted input,
conversion shall stop just prior to the input bytes that would cause the output
buffer to overflow.
= end quote =
What I see instead is that iconv() reads 'inbytesleft' unconditionally, when at
least one character had been converted.
I have added a test program to demonstrate the issue. (Compile with 'gcc
-fsanitize=address -g -o test_iconv test_iconv.c').
(There are two variants: one with memory from the heap (preferred)
and one with an anonymously memory mapped region).
I am converting "1" from UTF-8 to UCS-2BE. 'outbuf' has two bytes, so
'outbytesleft' is initialized to 2.
It seems to me that 'outbytesleft' is not checked before reading from 'inbuf'.
Three calls are done with 'inbytesleft' set to 1, 2 and 3.
Expected behaviour would be in each case:
read one byte input,
convert it to 2 bytes output,
place it in the outbuf,
increment pointers, decrement counters,
check if there is space left in the 'outbuf',
and since there is no space left, terminate the loop.
Address sanitizer confirms, that up to 3 bytes are read instead.
This is done on AMD64 on Ubuntu, with gcc 5.3.
Best regards, Heiko
You are receiving this mail because:
You are on the CC list for the bug.