Project

General

Profile

Actions
Copy link

Bug #18651

closed

oob access in CP51932 -> CP50220 transcoder

Added by ahorek (Pavel Rosický) over 2 years ago. Updated about 1 year ago.

Status:
Closed
Assignee:
akr (Akira Tanaka)
Target version:
-
ruby -v:
Backport:
2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN
[ruby-core:107994]

Description

Hello,
while working on a port of Japanese transcoder, I found a potential out of bounds access:
https://github.com/ruby/ruby/blob/73541cdc2f192f856ab19781472cdccbf9c21f71/enc/trans/iso2022.trans#L465

tbl0208 has 126 chars
in this example const char *p = tbl0208 + 186 leads to undefined behavior (without any error)

test case

str = "\x00\x7F\x8E\xA1\x8E\xFE\xA1\xA1\xA1\xFE".force_encoding("CP51932")
str.encode("CP50220").bytes
[0, 127, 27, 36, 66, 33, 35, 80, 0, 33, 33, 33, 126, 27, 40, 66]

nkf does convert the string differently

nkf --ic=CP51932 --oc=CP50220 test.txt > out.txt
[0, 127, 27, 40, 73, 33, 126, 27, 36, 66, 33, 33, 33, 126, 27, 40, 66]

is it a bug?

Actions
Copy link
 #1 [ruby-core:108031]

Updated by duerst (Martin Dürst) over 2 years ago

  • Assignee set to akr (Akira Tanaka)
Actions
Copy link
 #2 [ruby-core:108037]

Updated by nobu (Nobuyoshi Nakada) over 2 years ago

Accessing outside the table is definitely a bug.
Before that, SS2+0xA1 which should be JIS0201 is converted to JIS0208.

Actions
Copy link
 #3 [ruby-core:108038]

Updated by nobu (Nobuyoshi Nakada) over 2 years ago

As this converter seems to convert JIS0201 to JIS0208 as possible, this part would be intentional.

Actions
Copy link
 #4

Updated by jeremyevans0 (Jeremy Evans) about 1 year ago

  • Status changed from Open to Closed
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0