This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input

From: "ricilake at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Fri, 12 Dec 2014 02:55:25 +0000
Subject: [Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=17703

            Bug ID: 17703
           Summary: iconv(1) EFAULTs reading the second non-mmapable input
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: ricilake at gmail dot com
                CC: drepper.fsp at gmail dot com

This bug report is the result of a StackOverflow question:
http://stackoverflow.com/questions/27432033/process-substitution-not-working-for-input-files-with-iconv/27435671#27435671

A minimal reproducible test (linux):

$ iconv -f ISO-8859-1 -t UTF-8 <(printf \\xa3) <(printf \\xa5)
Âiconv: error while reading the input: Bad address

The error message is the result of an EFAULT during execution of read(2).

The bug is in the function process_fd in iconv/iconv_prog.c:

566   static char *inbuf = NULL;
567   static size_t maxlen = 0;
568   char *inptr = NULL;

inbuf is a temporary buffer used to read the entire input stream in the case
that an input argument cannot be mmap'd; maxlen is its current length. They are
declared static presumably to allow the buffer to be reused for subsequent
input streams. However, inptr (which is the point in the buffer at which to
read the next chunk of input) is always initialized to NULL, which is incorrect
if inbuf has been previously allocated; it should instead be initialized to
inbuf.

After the initialization, the function proceeds to attempt to fill inbuf up to
its current maximum size, maxlen:

569   size_t actlen = 0;
570
571   while (actlen < maxlen)
572     {
573       ssize_t n = read (fd, inptr, maxlen - actlen);

On the second invocation of process_fd, maxlen is not zero, so the loop is
entered and an attempt is made to read(2) into inptr, which is NULL. This
causes an EFAULT.

The fix, as indicated above:

568   char *inptr = inbuf;

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/17703] iconv(1) EFAULTs reading the second non-mmapable input
  - From: carlos at redhat dot com
- [Bug libc/17703] iconv(1) EFAULTs reading the second non-mmapable input
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]