summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdam Vartanian <flooey@google.com>2017-08-14 15:51:29 +0100
committerIvan Kutepov <its.kutepov@gmail.com>2017-11-10 19:20:14 +0300
commite476920fb9015fe75c534bf9bac2190cad67c175 (patch)
treee2d2be7a0198d58420f8a4afd8b675d31b91197b
parent4f84775fef93119cb80be7bd93b6bfaf8c02b192 (diff)
downloadsystem_core-e476920fb9015fe75c534bf9bac2190cad67c175.tar.gz
system_core-e476920fb9015fe75c534bf9bac2190cad67c175.tar.bz2
system_core-e476920fb9015fe75c534bf9bac2190cad67c175.zip
Fix integer overflow in utf{16,32}_to_utf8_length
Without an explicit check, the return value can wrap around and return a value that is far too small to hold the data from the resulting conversion. No CTS test is provided because it would need to allocate at least SSIZE_MAX / 2 bytes of UTF-16 data, which is unreasonable on 64-bit devices. Bug: 37723026 Test: run cts -p android.security Change-Id: I56ba5e31657633b7f33685dd8839d4b3b998e586 CVE-2017-0841
-rw-r--r--libutils/Unicode.cpp24
1 files changed, 21 insertions, 3 deletions
diff --git a/libutils/Unicode.cpp b/libutils/Unicode.cpp
index 2b5293e74..4d6ca3eb2 100644
--- a/libutils/Unicode.cpp
+++ b/libutils/Unicode.cpp
@@ -16,6 +16,7 @@
#include <log/log.h>
#include <utils/Unicode.h>
+#include <limits.h>
#include <stddef.h>
@@ -178,7 +179,15 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len)
size_t ret = 0;
const char32_t *end = src + src_len;
while (src < end) {
- ret += utf32_codepoint_utf8_length(*src++);
+ size_t char_len = utf32_codepoint_utf8_length(*src++);
+ if (SSIZE_MAX - char_len < ret) {
+ // If this happens, we would overflow the ssize_t type when
+ // returning from this function, so we cannot express how
+ // long this string is in an ssize_t.
+ android_errorWriteLog(0x534e4554, "37723026");
+ return -1;
+ }
+ ret += char_len;
}
return ret;
}
@@ -414,14 +423,23 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
size_t ret = 0;
const char16_t* const end = src + src_len;
while (src < end) {
+ size_t char_len;
if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
&& (*(src + 1) & 0xFC00) == 0xDC00) {
// surrogate pairs are always 4 bytes.
- ret += 4;
+ char_len = 4;
src += 2;
} else {
- ret += utf32_codepoint_utf8_length((char32_t) *src++);
+ char_len = utf32_codepoint_utf8_length((char32_t)*src++);
+ }
+ if (SSIZE_MAX - char_len < ret) {
+ // If this happens, we would overflow the ssize_t type when
+ // returning from this function, so we cannot express how
+ // long this string is in an ssize_t.
+ android_errorWriteLog(0x534e4554, "37723026");
+ return -1;
}
+ ret += char_len;
}
return ret;
}