[Security] Musl patches for CVE-2025-26519 (#7084)

kaidokert · richfelker · web-flow · commit c6e661e60352 · 2025-09-05T22:08:12.000Z
Cherry-pick CVE-2025-26519 patches. Source: https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659 https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659 Bug: 408542807 --------- Co-authored-by: Rich Felker <dalias@aerifal.cx>
diff --git a/third_party/musl/METADATA b/third_party/musl/METADATA
@@ -14,4 +14,7 @@ third_party {
     day: 1
   }
   license_type: NOTICE
+  security {
+    mitigated_security_patch: "CVE-2025-26519"  # Cherry-picked patches
+  }
 }
diff --git a/third_party/musl/src/locale/iconv.c b/third_party/musl/src/locale/iconv.c
@@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
 			if (c >= 93 || d >= 94) {
 				c += (0xa1-0x81);
 				d += 0xa1;
-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
+				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
 					goto ilseq;
 				if (d-'A'<26) d = d-'A';
 				else if (d-'a'<26) d = d-'a'+26;
@@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
 				if (*outb < k) goto toobig;
 				memcpy(*out, tmp, k);
 			} else k = wctomb_utf8(*out, c);
+			/* This failure condition should be unreachable, but
+			 * is included to prevent decoder bugs from translating
+			 * into advancement outside the output buffer range. */
+			if (k>4) goto ilseq;
 			*out += k;
 			*outb -= k;
 			break;

Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,7 @@ third_party {`
`14`	`14`	`day: 1`
`15`	`15`	`}`
`16`	`16`	`license_type: NOTICE`
	`17`	`+ security {`
	`18`	`+ mitigated_security_patch: "CVE-2025-26519" # Cherry-picked patches`
	`19`	`+ }`
`17`	`20`	`}`