diff options
| author | Adam Vartanian <flooey@google.com> | 2017-08-14 15:51:29 +0100 |
|---|---|---|
| committer | Adam Vartanian <flooey@google.com> | 2017-09-07 10:36:19 +0100 |
| commit | 47efc676c849e3abf32001d66e2d6eb887e83c48 (patch) | |
| tree | ed39557debb04047f94a4e475dbbb06a639bdf57 /libutils | |
| parent | 3a66fd2174aa4ec3b98efe807075c7413c39ce0d (diff) | |
| download | system_core-47efc676c849e3abf32001d66e2d6eb887e83c48.tar.gz system_core-47efc676c849e3abf32001d66e2d6eb887e83c48.tar.bz2 system_core-47efc676c849e3abf32001d66e2d6eb887e83c48.zip | |
Fix integer overflow in utf{16,32}_to_utf8_length
Without an explicit check, the return value can wrap around and return
a value that is far too small to hold the data from the resulting
conversion.
No CTS test is provided because it would need to allocate at least
SSIZE_MAX / 2 bytes of UTF-16 data, which is unreasonable on 64-bit
devices.
Bug: 37723026
Test: run cts -p android.security
Change-Id: I56ba5e31657633b7f33685dd8839d4b3b998e586
Diffstat (limited to 'libutils')
| -rw-r--r-- | libutils/Unicode.cpp | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/libutils/Unicode.cpp b/libutils/Unicode.cpp index 5fd915524..6cff0f476 100644 --- a/libutils/Unicode.cpp +++ b/libutils/Unicode.cpp @@ -180,7 +180,15 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len) size_t ret = 0; const char32_t *end = src + src_len; while (src < end) { - ret += utf32_codepoint_utf8_length(*src++); + size_t char_len = utf32_codepoint_utf8_length(*src++); + if (SSIZE_MAX - char_len < ret) { + // If this happens, we would overflow the ssize_t type when + // returning from this function, so we cannot express how + // long this string is in an ssize_t. + android_errorWriteLog(0x534e4554, "37723026"); + return -1; + } + ret += char_len; } return ret; } @@ -440,14 +448,23 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) size_t ret = 0; const char16_t* const end = src + src_len; while (src < end) { + size_t char_len; if ((*src & 0xFC00) == 0xD800 && (src + 1) < end && (*(src + 1) & 0xFC00) == 0xDC00) { // surrogate pairs are always 4 bytes. - ret += 4; + char_len = 4; src += 2; } else { - ret += utf32_codepoint_utf8_length((char32_t) *src++); + char_len = utf32_codepoint_utf8_length((char32_t)*src++); + } + if (SSIZE_MAX - char_len < ret) { + // If this happens, we would overflow the ssize_t type when + // returning from this function, so we cannot express how + // long this string is in an ssize_t. + android_errorWriteLog(0x534e4554, "37723026"); + return -1; } + ret += char_len; } return ret; } |