The vulnerability CVE-2024-2961 describes a buffer overflow in the iconv() function of the GNU C Library when converting strings to the ISO-2022-CN-EXT character set.

1. The iconv() function itself is identified as a vulnerable function because it's the API entry point. The provided commit f9dc609e06b1136bb0408be9605ce7973a767ada includes a new test case (iconvdata/tst-iconv-iso-2022-cn-ext.c) that explicitly calls iconv() to trigger and verify the fix for the vulnerable path.
2. The core of the vulnerability lies within the internal conversion logic for the ISO-2022-CN-EXT character set, which is implemented in iconvdata/iso-2022-cn-ext.c. The function responsible for the conversion within this file (typically named gconv) was missing bounds checks. The patch in commit f9dc609e06b1136bb0408be9605ce7973a767ada directly modifies this file by adding checks (if (outptr + 4 > outend)) before writing 4-byte escape sequences for SS2designation (e.g., ESC $*H) and SS3designation (e.g., ESC $+I). The commit message confirms these specific escape sequences were problematic due to missing checks. Both iconv() (as the user-facing API) and the internal gconv function (within iconvdata/iso-2022-cn-ext.c, where the defective logic resided) are critical to understanding the vulnerability and would appear in a runtime profile during exploitation or when triggering the bug.