mcm-musl-1.2.5-merged.diff (962B)
1 diff -ru --no-dereference --show-c-function musl-1.2.5/src/locale/iconv.c musl-1.2.5-0002-cve-2025-26519-p2/src/locale/iconv.c 2 --- a/src/locale/iconv.c 2024-03-01 02:07:33.000000000 +0000 3 +++ b/src/locale/iconv.c 2025-11-30 03:41:41.575685860 +0000 4 @@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict 5 if (c >= 93 || d >= 94) { 6 c += (0xa1-0x81); 7 d += 0xa1; 8 - if (c >= 93 || c>=0xc6-0x81 && d>0x52) 9 + if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52) 10 goto ilseq; 11 if (d-'A'<26) d = d-'A'; 12 else if (d-'a'<26) d = d-'a'+26; 13 @@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char **restrict 14 if (*outb < k) goto toobig; 15 memcpy(*out, tmp, k); 16 } else k = wctomb_utf8(*out, c); 17 + /* This failure condition should be unreachable, but 18 + * is included to prevent decoder bugs from translating 19 + * into advancement outside the output buffer range. */ 20 + if (k>4) goto ilseq; 21 *out += k; 22 *outb -= k; 23 break;