1 files changed, 41 insertions, 0 deletions

diff --git a/main/musl/0002-fix-buffer-overflow-in-mbsrtowcs.patch b/main/musl/0002-fix-buffer-overflow-in-mbsrtowcs.patch
new file mode 100644
index 0000000000..8b68cc8777
--- /dev/null
+++ b/main/musl/0002-fix-buffer-overflow-in-mbsrtowcs.patch
@@ -0,0 +1,41 @@
+From 211264e46a2f1bc382a84435e904d1548de672b0 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Fri, 27 Sep 2013 13:09:46 -0400
+Subject: [PATCH] fix buffer overflow in mbsrtowcs
+
+issue reported by Michael Forney:
+
+"If wn becomes 0 after processing a chunk of 4, mbsrtowcs currently
+continues on, wrapping wn around to -1, causing the rest of the string
+to be processed.
+
+This resulted in buffer overruns if there was only space in ws for wn
+wide characters."
+
+the original patch submitted added an additional check for !wn after
+the loop; to avoid extra branching, I instead just changed the wn>=4
+check to wn>=5 to ensure that at least one slot remains after the
+word-at-a-time loop runs. this should not slow down the tail
+processing on real-world usage, since an extra slot that can't be
+processed in the word-at-a-time loop is needed for the null
+termination anyway.
+---
+ src/multibyte/mbsrtowcs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/multibyte/mbsrtowcs.c b/src/multibyte/mbsrtowcs.c
+index b9bbc33..066cce6 100644
+--- a/src/multibyte/mbsrtowcs.c
++++ b/src/multibyte/mbsrtowcs.c
+@@ -59,7 +59,7 @@ resume0:
+ 			return wn0;
+ 		}
+ 		if (*s-1u < 0x7f && (uintptr_t)s%4 == 0) {
+-			while (wn>=4 && !(( *(uint32_t*)s | *(uint32_t*)s-0x01010101) & 0x80808080)) {
++			while (wn>=5 && !(( *(uint32_t*)s | *(uint32_t*)s-0x01010101) & 0x80808080)) {
+ 				*ws++ = *s++;
+ 				*ws++ = *s++;
+ 				*ws++ = *s++;
+-- 
+1.8.4
+