This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug locale/19804] New: NULL pointer dereference in iconv()
- From: "alex_dfr at hotmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 10 Mar 2016 12:30:38 +0000
- Subject: [Bug locale/19804] New: NULL pointer dereference in iconv()
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19804
Bug ID: 19804
Summary: NULL pointer dereference in iconv()
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: locale
Assignee: unassigned at sourceware dot org
Reporter: alex_dfr at hotmail dot com
Target Milestone: ---
While checking the sources of glibc with the clang's static analyzer, I found a
case of a NULL pointer dereference in the iconv() function.
It happens at line 55 in the following expression:
"(unsigned char *) (*outbuf + *outbytesleft)".
Earlier in this function there is a check for the value of "outbuf", and the
code in the other branch of the "if"-conditional uses the correct "safe"
pointer called "outstart". It looks like this was a result of a copy-paste and
not fixed later.
According to the manual page, and to the fact that "outbuf" was checked for
NULL at the start of the function, passing the NULL pointer as the "outbuf"
argument to the iconv is a valid scenario.
The minimal test case to trigger the bug is the following:
int main() {
char foo[] = "foo";
size_t sz = 3;
iconv(0, &foo, &sz, 0, 0);
return 0;
}
The patch should be trivial, but I have not checked the logic of the code
further to understand if it is safe to use the "outstart" as in the other
branch of the condition or if it is better to exit early.
--
You are receiving this mail because:
You are on the CC list for the bug.