Date: Tue, 30 Jun 2026 17:21:11 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: ce422ff3fcc6 - releng/14.4 - iconv: Fix a buffer overflow in the HZ encoding Message-ID: <6a43fb07.44cf5.791a392e@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ce422ff3fcc621bd6857c69fea0b2e637c319ef3 commit ce422ff3fcc621bd6857c69fea0b2e637c319ef3 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-06-23 16:05:31 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-06-29 21:26:44 +0000 iconv: Fix a buffer overflow in the HZ encoding wcrtomb may store up to 2 2-byte escape sequences to the state buffer in addition to the character itself. In the worst case, a 3-byte heap overflow is possible. Approved by: so Security: FreeBSD-SA-26:49.iconv Security: CVE-2026-58081 Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D57949 --- lib/libiconv_modules/HZ/citrus_hz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/libiconv_modules/HZ/citrus_hz.c b/lib/libiconv_modules/HZ/citrus_hz.c index db738b8f812e..e16ab3a8e34c 100644 --- a/lib/libiconv_modules/HZ/citrus_hz.c +++ b/lib/libiconv_modules/HZ/citrus_hz.c @@ -132,7 +132,7 @@ typedef struct { typedef struct { escape_t *inuse; int chlen; - char ch[ROWCOL_MAX]; + char ch[4 + ROWCOL_MAX]; } _HZState; #define _CEI_TO_EI(_cei_) (&(_cei_)->ei)home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a43fb07.44cf5.791a392e>
