Date: Tue, 30 Jun 2026 17:20:45 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 0b49a3af873d - releng/14.3 - iconv: Fix a buffer overflow in the HZ encoding Message-ID: <6a43faed.444e8.577b65da@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0b49a3af873dd062538e806722348ef02dd20dac commit 0b49a3af873dd062538e806722348ef02dd20dac Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-06-23 16:05:31 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-06-30 02:32:02 +0000 iconv: Fix a buffer overflow in the HZ encoding wcrtomb may store up to 2 2-byte escape sequences to the state buffer in addition to the character itself. In the worst case, a 3-byte heap overflow is possible. Approved by: so Security: FreeBSD-SA-26:49.iconv Security: CVE-2026-58081 Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D57949 --- lib/libiconv_modules/HZ/citrus_hz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/libiconv_modules/HZ/citrus_hz.c b/lib/libiconv_modules/HZ/citrus_hz.c index db738b8f812e..e16ab3a8e34c 100644 --- a/lib/libiconv_modules/HZ/citrus_hz.c +++ b/lib/libiconv_modules/HZ/citrus_hz.c @@ -132,7 +132,7 @@ typedef struct { typedef struct { escape_t *inuse; int chlen; - char ch[ROWCOL_MAX]; + char ch[4 + ROWCOL_MAX]; } _HZState; #define _CEI_TO_EI(_cei_) (&(_cei_)->ei)home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a43faed.444e8.577b65da>
