RootCauseunvalidated
out=*in;(*out)++;outlen-- without first checking outlen>0 — EILSEQ/EINVAL branch (lines 175-187). Outcome: the next iconv call writes attacker-controlled bytes far past the heap buffer.
e2a3eeb1-d8bd-461e-9d39-5bdb36c3795b
out=*in;(*out)++;outlen-- without first checking outlen>0 — EILSEQ/EINVAL branch (lines 175-187). Outcome: the next iconv call writes attacker-controlled bytes far past the heap buffer.