This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug locale/19418] New: iconv should stop reading from 'inbuf' when 'outbytesleft' is zero


https://sourceware.org/bugzilla/show_bug.cgi?id=19418

            Bug ID: 19418
           Summary: iconv should stop reading from 'inbuf' when
                    'outbytesleft' is zero
           Product: glibc
           Version: 2.19
            Status: NEW
          Keywords: std-posix
          Severity: normal
          Priority: P2
         Component: locale
          Assignee: unassigned at sourceware dot org
          Reporter: heiko at hexco dot de
  Target Milestone: ---

Created attachment 8871
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8871&action=edit
test programm that demonstrates that iconv reads from inbuf even if
outbytesleft == 0

Quote from the opengroup description
(http://pubs.opengroup.org/onlinepubs/009695399/functions/iconv.html):

If the output buffer is not large enough to hold the entire converted input,
conversion shall stop just prior to the input bytes that would cause the output
buffer to overflow.
= end quote =

What I see instead is that iconv() reads 'inbytesleft' unconditionally, when at
least one character had been converted.

I have added a test program to demonstrate the issue. (Compile with 'gcc
-fsanitize=address -g -o test_iconv test_iconv.c').
(There are two variants: one with memory from the heap (preferred) 
and one with an anonymously memory mapped region).

I am converting "1" from UTF-8 to UCS-2BE. 'outbuf' has two bytes, so
'outbytesleft' is initialized to 2.
It seems to me that 'outbytesleft' is not checked before reading from 'inbuf'.

Three calls are done with 'inbytesleft' set to 1, 2 and 3.
Expected behaviour would be in each case:
read one byte input, 
convert it to 2 bytes output,
place it in the outbuf,
increment pointers, decrement counters,
check if there is space left in the 'outbuf',
and since there is no space left, terminate the loop.
-
Address sanitizer confirms, that up to 3 bytes are read instead.

This is done on AMD64 on Ubuntu, with gcc 5.3.

Best regards, Heiko

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]