From 51c19aa14e9ab6a1832bf7ada2789120cb60cef7 Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Fri, 8 May 2026 09:13:10 +0200 Subject: [PATCH] CVE-2026-44062: libatalk/unicode: guard UCS2 slash and colon writes Reported-by: @00redbeer Signed-off-by: Daniel Markstedt --- libatalk/unicode/charcnv.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libatalk/unicode/charcnv.c b/libatalk/unicode/charcnv.c index 791ae3b2b..6a0f02fab 100644 --- a/libatalk/unicode/charcnv.c +++ b/libatalk/unicode/charcnv.c @@ -786,6 +786,11 @@ static size_t pull_charset_flags(charset_t from_set, charset_t to_set, i_len--; } else if (to_set == CH_UTF8_MAC || to_set == CH_MAC) { /* convert to a '/' */ + if (o_len < 2) { + errno = E2BIG; + goto end; + } + ucs2_t slash = 0x002f; memcpy(outbuf, &slash, sizeof(ucs2_t)); outbuf += 2; @@ -794,6 +799,11 @@ static size_t pull_charset_flags(charset_t from_set, charset_t to_set, i_len--; } else { /* keep as ':' */ + if (o_len < 2) { + errno = E2BIG; + goto end; + } + ucs2_t ucs2 = 0x003a; memcpy(outbuf, &ucs2, sizeof(ucs2_t)); outbuf += 2; @@ -822,6 +832,11 @@ static size_t pull_charset_flags(charset_t from_set, charset_t to_set, } else if ((from_set == CH_UTF8_MAC || from_set == CH_MAC) && (to_set != CH_UTF8_MAC || to_set != CH_MAC)) { /* convert to ':' */ + if (o_len < 2) { + errno = E2BIG; + goto end; + } + ucs2_t ucs2 = 0x003a; memcpy(outbuf, &ucs2, sizeof(ucs2_t)); outbuf += 2; @@ -830,6 +845,11 @@ static size_t pull_charset_flags(charset_t from_set, charset_t to_set, i_len--; } else { /* keep as '/' */ + if (o_len < 2) { + errno = E2BIG; + goto end; + } + ucs2_t ucs2 = 0x002f; memcpy(outbuf, &ucs2, sizeof(ucs2_t)); outbuf += 2;