I found the following hangs when running an iconv input fuzzer I wrote while trying to fix bug 19519. The hangs are present in master:
echo -en '\x00\x0f' | iconv -t UTF-8 -c -f IBM1364
echo -en '\x00\x0f' | iconv -t UTF-8 -c -f IBM1371
echo -en '\x00\x0f' | iconv -t UTF-8 -c -f IBM1388
echo -en '\x00\x0f' | iconv -t UTF-8 -c -f IBM1390
echo -en '\x00\x0f' | iconv -t UTF-8 -c -f IBM1399
These hangs are presently mentioned but commented out in iconv/tst-iconv_prog.sh and should eventually be un-commented when this bug is fixed.
The fuzzer itself (attachment 11786 [details]) should also be run against these character sets after this bug is fixed, because they skip all remaining inputs for a character set once they encounter a hang in the corresponding converter, and thus any other hangs (from possibly other bugs) aren't tested for.
Author: Arjun Shankar <email@example.com>
Date: Wed Nov 4 12:19:38 2020 +0100
iconv: Accept redundant shift sequences in IBM1364 [BZ #26224]
The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
share converter logic (iconvdata/ibm1364.c) which would reject
redundant shift sequences when processing input in these character
sets. This led to a hang in the iconv program (CVE-2020-27618).
This commit adjusts the converter to ignore redundant shift sequences
and adds test cases for iconv_prog hangs that would be triggered upon
their rejection. This brings the implementation in line with other
converters that also ignore redundant shift sequences (e.g. IBM930
etc., fixed in commit 692de4b3960d).
Reviewed-by: Carlos O'Donell <firstname.lastname@example.org>