git: 0b49a3af873d - releng/14.3 - iconv: Fix a buffer overflow in the HZ encoding
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Jun 2026 17:20:45 UTC
The branch releng/14.3 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=0b49a3af873dd062538e806722348ef02dd20dac
commit 0b49a3af873dd062538e806722348ef02dd20dac
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-06-23 16:05:31 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-30 02:32:02 +0000
iconv: Fix a buffer overflow in the HZ encoding
wcrtomb may store up to 2 2-byte escape sequences to the state buffer in
addition to the character itself. In the worst case, a 3-byte heap
overflow is possible.
Approved by: so
Security: FreeBSD-SA-26:49.iconv
Security: CVE-2026-58081
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D57949
---
lib/libiconv_modules/HZ/citrus_hz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libiconv_modules/HZ/citrus_hz.c b/lib/libiconv_modules/HZ/citrus_hz.c
index db738b8f812e..e16ab3a8e34c 100644
--- a/lib/libiconv_modules/HZ/citrus_hz.c
+++ b/lib/libiconv_modules/HZ/citrus_hz.c
@@ -132,7 +132,7 @@ typedef struct {
typedef struct {
escape_t *inuse;
int chlen;
- char ch[ROWCOL_MAX];
+ char ch[4 + ROWCOL_MAX];
} _HZState;
#define _CEI_TO_EI(_cei_) (&(_cei_)->ei)