git: fc6e7313929d - releng/15.0 - iconv: Fix a buffer overflow in the HZ encoding

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 30 Jun 2026 17:21:39 UTC
The branch releng/15.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=fc6e7313929da2187c2e7662df03022c321e5320

commit fc6e7313929da2187c2e7662df03022c321e5320
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-06-23 16:05:31 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-30 02:32:58 +0000

    iconv: Fix a buffer overflow in the HZ encoding
    
    wcrtomb may store up to 2 2-byte escape sequences to the state buffer in
    addition to the character itself.  In the worst case, a 3-byte heap
    overflow is possible.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:49.iconv
    Security:       CVE-2026-58081
    Reviewed by:    kevans
    Differential Revision:  https://reviews.freebsd.org/D57949
---
 lib/libiconv_modules/HZ/citrus_hz.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libiconv_modules/HZ/citrus_hz.c b/lib/libiconv_modules/HZ/citrus_hz.c
index db738b8f812e..e16ab3a8e34c 100644
--- a/lib/libiconv_modules/HZ/citrus_hz.c
+++ b/lib/libiconv_modules/HZ/citrus_hz.c
@@ -132,7 +132,7 @@ typedef struct {
 typedef struct {
 	escape_t	*inuse;
 	int		 chlen;
-	char		 ch[ROWCOL_MAX];
+	char		 ch[4 + ROWCOL_MAX];
 } _HZState;
 
 #define _CEI_TO_EI(_cei_)		(&(_cei_)->ei)