From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 18 17:10:00 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B35DF592 for ; Mon, 18 Feb 2013 17:10:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 92C01A14 for ; Mon, 18 Feb 2013 17:10:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r1IHA01r033586 for ; Mon, 18 Feb 2013 17:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r1IHA0bH033585; Mon, 18 Feb 2013 17:10:00 GMT (envelope-from gnats) Resent-Date: Mon, 18 Feb 2013 17:10:00 GMT Resent-Message-Id: <201302181710.r1IHA0bH033585@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "J.R. Oldroyd" Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EC5623E9 for ; Mon, 18 Feb 2013 17:03:21 +0000 (UTC) (envelope-from jr@opal.com) Received: from mho-01-ewr.mailhop.org (mho-03-ewr.mailhop.org [204.13.248.66]) by mx1.freebsd.org (Postfix) with ESMTP id BF19D9B5 for ; Mon, 18 Feb 2013 17:03:21 +0000 (UTC) Received: from pool-141-154-241-44.bos.east.verizon.net ([141.154.241.44] helo=homobox.opal.com) by mho-01-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1U7U7X-000NzK-EH for FreeBSD-gnats-submit@freebsd.org; Mon, 18 Feb 2013 17:03:15 +0000 Received: from shibato.opal.com (shibato.opal.com [IPv6:2001:470:8cb8:4:221:63ff:fe5a:c9a7]) (authenticated bits=0) by homobox.opal.com (8.14.4/8.14.4) with ESMTP id r1IH3Crb015757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 18 Feb 2013 12:03:14 -0500 (EST) (envelope-from jr@opal.com) Received: from shibato.opal.com (localhost [127.0.0.1]) by shibato.opal.com (8.14.5/8.14.5) with ESMTP id r1IH3B1g090565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 18 Feb 2013 12:03:11 -0500 (EST) (envelope-from jr@opal.com) Received: (from jr@localhost) by shibato.opal.com (8.14.5/8.14.5/Submit) id r1IH3Bum090564; Mon, 18 Feb 2013 12:03:11 -0500 (EST) (envelope-from jr) Message-Id: <201302181703.r1IH3Bum090564@shibato.opal.com> Date: Mon, 18 Feb 2013 12:03:11 -0500 (EST) From: "J.R. Oldroyd" To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/176250: euc locale input modifies data X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: "J.R. Oldroyd" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 17:10:00 -0000 >Number: 176250 >Category: bin >Synopsis: euc locale input modifies data >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 18 17:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: J.R. Oldroyd >Release: FreeBSD 9.1-RELEASE amd64 >Organization: >Environment: System: FreeBSD xx.opal.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r244985: Tue Jan 8 10:51:13 EST 2013 jr@xx.opal.com:/usr/src/sys/amd64/compile/GENERIC amd64 >Description: When reading an invalid multibyte data sequence while set to an euc locale, e.g., ja_JP.eucJP, the src/lib/libc/locale/euc.c code will modify the bytes read to ensure that the 0x8080 or 0x808080 bits are set. This has the effect of silently returning data other than that which was in the input. There is then no way of detecting that the input sequence was invalid. The correct behavior is to test that those bits are set, return the data if they are, but return EILSEQ if not. Fix is applicable to 10-current and 9-stable. Please MFC. >How-To-Repeat: 1. Create test file containing invalid euc multibyte characters such as: 0xa440 0xac4f 0xb36f 0xcf20 2. Set locale to, e.g., ja_JP.eucJP. 3. Read characters from file using getwc(). Observe that what's read is: 0xa4c0 0xaccf 0xb3ef 0xcfa0 >Fix: --- src/lib/libc/locale/euc.c.orig 2013-01-02 19:26:36.000000000 -0500 +++ src/lib/libc/locale/euc.c 2013-02-17 15:51:58.000000000 -0500 @@ -215,7 +215,11 @@ es->ch = wc; return ((size_t)-2); } - wc = (wc & ~CEI->mask) | CEI->bits[set]; + if (wc != ((wc & ~CEI->mask) | CEI->bits[set])) { + /* Invalid multibyte sequence */ + errno = EILSEQ; + return ((size_t)-1); + } if (pwc != NULL) *pwc = wc; es->want = 0; >Release-Note: >Audit-Trail: >Unformatted: