Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2218590/?format=api
{ "id": 2218590, "url": "http://patchwork.ozlabs.org/api/patches/2218590/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/patch/87bjg2eprs.fsf@oldenburg.str.redhat.com/", "project": { "id": 41, "url": "http://patchwork.ozlabs.org/api/projects/41/?format=api", "name": "GNU C Library", "link_name": "glibc", "list_id": "libc-alpha.sourceware.org", "list_email": "libc-alpha@sourceware.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<87bjg2eprs.fsf@oldenburg.str.redhat.com>", "list_archive_url": null, "date": "2026-04-01T14:09:11", "name": "Use pending character state in IBM1364-derived character sets (CVE-2026-4046)", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "341c6f9dc4d755db3fac41f0e74257b6de793086", "submitter": { "id": 14312, "url": "http://patchwork.ozlabs.org/api/people/14312/?format=api", "name": "Florian Weimer", "email": "fweimer@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/glibc/patch/87bjg2eprs.fsf@oldenburg.str.redhat.com/mbox/", "series": [ { "id": 498340, "url": "http://patchwork.ozlabs.org/api/series/498340/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=498340", "date": "2026-04-01T14:09:11", "name": "Use pending character state in IBM1364-derived character sets (CVE-2026-4046)", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498340/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2218590/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2218590/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "libc-alpha@sourceware.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "libc-alpha@sourceware.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=I2SSC2XN;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)", "sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=I2SSC2XN", "sourceware.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "sourceware.org; spf=pass smtp.mailfrom=redhat.com", "server2.sourceware.org;\n arc=none smtp.remote-ip=170.10.133.124" ], "Received": [ "from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fm6Lb3qf9z1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 02 Apr 2026 01:09:43 +1100 (AEDT)", "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 6FEB84BA23E5\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 1 Apr 2026 14:09:41 +0000 (GMT)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by sourceware.org (Postfix) with ESMTP id 16C974BA2E05\n for <libc-alpha@sourceware.org>; Wed, 1 Apr 2026 14:09:18 +0000 (GMT)", "from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-354-PqXyTHyIPw-SZyYvzUqkJg-1; Wed,\n 01 Apr 2026 10:09:16 -0400", "from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id BE02718002CA\n for <libc-alpha@sourceware.org>; Wed, 1 Apr 2026 14:09:15 +0000 (UTC)", "from oldenburg3.str.redhat.com (unknown [10.44.49.184])\n by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id E5E0B19560AB\n for <libc-alpha@sourceware.org>; Wed, 1 Apr 2026 14:09:14 +0000 (UTC)" ], "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 sourceware.org 6FEB84BA23E5", "OpenDKIM Filter v2.11.0 sourceware.org 16C974BA2E05" ], "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org 16C974BA2E05", "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org 16C974BA2E05", "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1775052558; cv=none;\n b=tansvtioTwyqNE4myaLanknjt+w/sv8OqK2s3heCOawJ+87HjYfGcYOF8TLzCjykL2Gvxz4qhs09nlwrZI2R/1lC/uOKCbpcqGozRkW80TEO99zXRWvVDou2O+iy/pl1DvMwHo7Xr5u+v0bOQpMLLedHp7gwYyPbzSZTquNwKak=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1775052558; c=relaxed/simple;\n bh=lSuRDzlHNFCyyniuTQ1L4Gfj95fut8Ld4BBjEbQb7M4=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=fiqatFMCaq2PZaP814JWJPUK4jl1t8fD6VabkXDLMTORotN2Kk8YUmh5+pW6WzmhZu9oMtqt8tO7HN/11wwuq9Nfw3zo2dv4oHmvcZFYWel0fMOc1Z5/XpSLa7vihs7VnbZP0ffY/IT+fZEel86623fwgN51g0wJYzvERN63nI4=", "ARC-Authentication-Results": "i=1; server2.sourceware.org", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1775052557;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:mime-version:mime-version:content-type:content-type;\n bh=LzQlj4rItLXS0Mor1TV97Maqqv7xoCxHiWdKMDEiIF0=;\n b=I2SSC2XNcX+ilC3CyPg6yD53O/WtY2aML+koKF7MFGJ5s4i+QvABx1BBXCwWkGhuszbj6y\n 9esGYuIRe0FOv3QOGBvre1eqJx2E2bhsXc4DPGy3Ypn8DadOskAuX1JFoZjlpccyhXNglm\n R/TGLSTyJSGpeXIf8YF6izbQ/cENuo0=", "X-MC-Unique": "PqXyTHyIPw-SZyYvzUqkJg-1", "X-Mimecast-MFC-AGG-ID": "PqXyTHyIPw-SZyYvzUqkJg_1775052555", "From": "Florian Weimer <fweimer@redhat.com>", "To": "libc-alpha@sourceware.org", "Subject": "[PATCH] Use pending character state in IBM1364-derived character\n sets (CVE-2026-4046)", "Date": "Wed, 01 Apr 2026 16:09:11 +0200", "Message-ID": "<87bjg2eprs.fsf@oldenburg.str.redhat.com>", "User-Agent": "Gnus/5.13 (Gnus v5.13)", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.12", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "LeBR_7JPofb5da69Y3Nvz1JVdrI_D9pa0vM0Wlhy1mo_1775052555", "X-Mimecast-Originator": "redhat.com", "Content-Type": "text/plain", "X-BeenThere": "libc-alpha@sourceware.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>", "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>", "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>", "List-Post": "<mailto:libc-alpha@sourceware.org>", "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>", "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>", "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org" }, "content": "Follow the example in iso-2022-jp-3.c and use the __count state\nvariable to store the pending character. This avoids restarting\nthe conversion if the output buffer ends between two 4-byte UCS-4\ncode points, so that the assert reported in the bug can no longer\nhappen.\n\nThis defect impacts the character sets IBM1364, IBM1371, IBM1388,\nIBM1390, IBM1399.\n\nThis fixes bug 33980.\n\nI wanted to posted this now because I had not a chance yet to write a\nproper test case for this yet. It should iterate over the potentially\nimpacted character sets and input patterns, and different output buffer\nsizes. If the character set matches the expected input for that\ncharacter, check that the output matches (concatenated over multiple\ncalls reusing the buffer) the precomputed expected output. Otherwise,\nthe test just verifies that there is no assert or other crash.\n\nThanks,\nFlorian\n---\n iconvdata/ibm1364.c | 70 +++++++++++++++++++++++++++++++++++++++++------------\n 1 file changed, 55 insertions(+), 15 deletions(-)\n\n\nbase-commit: 6abe432ec4aa1456151be8f9567c4d68f41d68f7", "diff": "diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c\nindex 4f41f22c12..49a30913a8 100644\n--- a/iconvdata/ibm1364.c\n+++ b/iconvdata/ibm1364.c\n@@ -67,12 +67,29 @@\n \n /* Since this is a stateful encoding we have to provide code which resets\n the output state to the initial state. This has to be done during the\n- flushing. */\n+ flushing. For the to-internal direction (FROM_DIRECTION is true),\n+ there may be a pending character that needs flushing. */\n #define EMIT_SHIFT_TO_INIT \\\n if ((data->__statep->__count & ~7) != sb)\t\t\t\t \\\n {\t\t\t\t\t\t\t\t\t \\\n if (FROM_DIRECTION)\t\t\t\t\t\t \\\n-\tdata->__statep->__count &= 7;\t\t\t\t\t \\\n+\t{\t\t\t\t\t\t\t\t \\\n+\t uint32_t ch = data->__statep->__count >> 7;\t\t\t \\\n+\t if (__glibc_unlikely (ch != 0))\t\t\t\t \\\n+\t {\t\t\t\t\t\t\t\t \\\n+\t if (__glibc_unlikely (outend - outbuf < 4))\t\t \\\n+\t\tstatus = __GCONV_FULL_OUTPUT;\t\t\t\t \\\n+\t else\t\t\t\t\t\t\t \\\n+\t\t{\t\t\t\t\t\t\t \\\n+\t\t put32 (outbuf, ch);\t\t\t\t\t \\\n+\t\t outbuf += 4;\t\t\t\t\t\t \\\n+\t\t /* Clear character and db bit. */\t\t\t \\\n+\t\t data->__statep->__count &= 7;\t\t\t\t \\\n+\t\t}\t\t\t\t\t\t\t \\\n+\t }\t\t\t\t\t\t\t\t \\\n+\t else\t\t\t\t\t\t\t\t \\\n+\t data->__statep->__count &= 7;\t\t\t\t \\\n+\t}\t\t\t\t\t\t\t\t \\\n else\t\t\t\t\t\t\t\t \\\n \t{\t\t\t\t\t\t\t\t \\\n \t /* We are not in the initial state. To switch back we have\t \\\n@@ -99,11 +116,13 @@\n *curcsp = save_curcs\n \n \n-/* Current codeset type. */\n+/* Current codeset type. The bit is stored in the __count variable of\n+ the conversion state. If the db bit is set, bit 7 and above store\n+ a pending UCS-4 code point if non-zero. */\n enum\n {\n- sb = 0,\n- db = 64\n+ sb = 0,\t\t\t/* Single byte mode. */\n+ db = 64\t\t\t/* Double byte mode. */\n };\n \n \n@@ -119,21 +138,29 @@ enum\n }\t\t\t\t\t\t\t\t\t \\\n else\t\t\t\t\t\t\t\t \\\n {\t\t\t\t\t\t\t\t\t \\\n-\t/* This is a combined character. Make sure we have room. */\t \\\n-\tif (__glibc_unlikely (outptr + 8 > outend))\t\t\t \\\n-\t {\t\t\t\t\t\t\t\t \\\n-\t result = __GCONV_FULL_OUTPUT;\t\t\t\t \\\n-\t break;\t\t\t\t\t\t\t \\\n-\t }\t\t\t\t\t\t\t\t \\\n-\t\t\t\t\t\t\t\t\t \\\n \tconst struct divide *cmbp\t\t\t\t\t \\\n \t = &DB_TO_UCS4_COMB[ch - __TO_UCS4_COMBINED_MIN];\t\t \\\n \tassert (cmbp->res1 != 0 && cmbp->res2 != 0);\t\t\t \\\n \t\t\t\t\t\t\t\t\t \\\n \tput32 (outptr, cmbp->res1);\t\t\t\t\t \\\n \toutptr += 4;\t\t\t\t\t\t\t \\\n-\tput32 (outptr, cmbp->res2);\t\t\t\t\t \\\n-\toutptr += 4;\t\t\t\t\t\t\t \\\n+\t\t\t\t\t\t\t\t\t \\\n+\t/* See whether we have room for two characters. */\t\t \\\n+\tif (outend - outptr >= 4)\t\t\t\t\t \\\n+\t {\t\t\t\t\t\t\t\t \\\n+\t put32 (outptr, cmbp->res2);\t\t\t\t\t \\\n+\t outptr += 4;\t\t\t\t\t\t \\\n+\t }\t\t\t\t\t\t\t\t \\\n+\telse\t\t\t\t\t\t\t\t \\\n+\t {\t\t\t\t\t\t\t\t \\\n+\t /* Otherwise store only the first character now, and\t \\\n+\t put the second one into the queue. */\t\t\t \\\n+\t curcs |= cmbp->res2 << 7;\t\t\t\t\t \\\n+\t inptr += 2;\t\t\t\t\t\t\t \\\n+\t /* Tell the caller why we terminate the loop. */\t\t \\\n+\t result = __GCONV_FULL_OUTPUT;\t\t\t\t \\\n+\t break;\t\t\t\t\t\t\t \\\n+\t }\t\t\t\t\t\t\t\t \\\n }\t\t\t\t\t\t\t\t\t \\\n }\n #else\n@@ -153,7 +180,20 @@ enum\n #define LOOPFCT \t\tFROM_LOOP\n #define BODY \\\n {\t\t\t\t\t\t\t\t\t \\\n- uint32_t ch = *inptr;\t\t\t\t\t\t \\\n+ uint32_t ch;\t\t\t\t\t\t\t \\\n+\t\t\t\t\t\t\t\t\t \\\n+ ch = curcs >> 7;\t\t\t\t\t\t\t \\\n+ if (__glibc_unlikely (ch != 0))\t\t\t\t\t \\\n+ {\t\t\t\t\t\t\t\t\t \\\n+\tput32 (outptr, ch);\t\t\t\t\t\t \\\n+\toutptr += 4;\t\t\t\t\t\t\t \\\n+\t/* Remove the pending character, but preserve state bits. */\t \\\n+\tcurcs &= (1 << 7) - 1;\t\t\t\t\t\t \\\n+\tcontinue;\t\t\t\t\t\t\t \\\n+ }\t\t\t\t\t\t\t\t\t \\\n+\t\t\t\t\t\t\t\t\t \\\n+ /* Otherwise read the next input byte. */\t\t\t\t \\\n+ ch = *inptr;\t\t\t\t\t\t\t \\\n \t\t\t\t\t\t\t\t\t \\\n if (__builtin_expect (ch, 0) == SO)\t\t\t\t\t \\\n {\t\t\t\t\t\t\t\t\t \\\n", "prefixes": [] }