From 89e23615828ea64af9858e5942d6bc4d82c458a6 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Fri, 15 Jan 2021 07:44:50 -0500 Subject: [PATCH] Fix buffer overrun (oss-fuzz/28832+28807) len_out was wrapping to a large number when bad input was encountered. Ensure it's non-zero before proceeding with iconv. --- src/libmdb/iconv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libmdb/iconv.c b/src/libmdb/iconv.c index fcc5788..73851bf 100644 --- a/src/libmdb/iconv.c +++ b/src/libmdb/iconv.c @@ -53,7 +53,7 @@ static size_t decompressed_to_utf8_with_iconv(MdbHandle *mdb, const char *in_ptr char *out_ptr = dest; size_t len_out = dlen - 1; - while (1) { + while (len_out) { iconv(mdb->iconv_in, (ICONV_CONST char **)&in_ptr, &len_in, &out_ptr, &len_out); /* * Have seen database with odd number of bytes in UCS-2, shouldn't happen but protect against it