glibc: assertion during character conversion
[I'm just creating a bug for future reference, I've already reported this issue upstream and it's already been fixed]
If an application uses iconv() with an attacker specified character set, there's an assertion in the gconv buffer management code that can be triggered, crashing the application. The crash only occurs with ISO-2022-JP-3 encoding.
This is a problem because that's a really common thing to do, for example mail clients do automatic charset conversion when they see a Subject like:
Subject: =?ISO-2022-JP-3?B?.....
or a MIME header like this:
Content-Type: text/plain; charset=ISO-2022-JP-3
This would mean your mail client would immediately crash.
Upstream bug and patch is available here: https://sourceware.org/bugzilla/show_bug.cgi?id=27256
There's a testcase in the patch if you want to reproduce it.
Found by: taviso@google.com