diff options
| author | Sergio Giro <sgiro@google.com> | 2016-06-28 18:02:29 +0100 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-07-21 17:35:58 -0700 |
| commit | 3c28cda5d0120eb7bf7a49b36b96f45c0a588232 (patch) | |
| tree | f8ac5f336ba4a8c575d29915f7c087eb624556be /libutils/String8.cpp | |
| parent | 671d62d73c9c643159107ca77721b6540ef79eea (diff) | |
| download | system_core-3c28cda5d0120eb7bf7a49b36b96f45c0a588232.tar.gz system_core-3c28cda5d0120eb7bf7a49b36b96f45c0a588232.tar.bz2 system_core-3c28cda5d0120eb7bf7a49b36b96f45c0a588232.zip | |
libutils/Unicode.cpp: Correct length computation and add checks for utf16->utf8
Inconsistent behaviour between utf16_to_utf8 and utf16_to_utf8_length
is causing a heap overflow.
Correcting the length computation and adding bound checks to the
conversion functions.
Test: ran libutils_tests
Bug: 29250543
Change-Id: I6115e3357141ed245c63c6eb25fc0fd0a9a7a2bb
(cherry picked from commit c4966a363e46d2e1074d1a365e232af0dcedd6a1)
Diffstat (limited to 'libutils/String8.cpp')
| -rw-r--r-- | libutils/String8.cpp | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/libutils/String8.cpp b/libutils/String8.cpp index ad65fdb88..75dfa2994 100644 --- a/libutils/String8.cpp +++ b/libutils/String8.cpp @@ -102,20 +102,21 @@ static char* allocFromUTF16(const char16_t* in, size_t len) { if (len == 0) return getEmptyString(); - const ssize_t bytes = utf16_to_utf8_length(in, len); - if (bytes < 0) { + // Allow for closing '\0' + const ssize_t resultStrLen = utf16_to_utf8_length(in, len) + 1; + if (resultStrLen < 1) { return getEmptyString(); } - SharedBuffer* buf = SharedBuffer::alloc(bytes+1); + SharedBuffer* buf = SharedBuffer::alloc(resultStrLen); ALOG_ASSERT(buf, "Unable to allocate shared buffer"); if (!buf) { return getEmptyString(); } - char* str = (char*)buf->data(); - utf16_to_utf8(in, len, str); - return str; + char* resultStr = (char*)buf->data(); + utf16_to_utf8(in, len, resultStr, resultStrLen); + return resultStr; } static char* allocFromUTF32(const char32_t* in, size_t len) @@ -124,21 +125,21 @@ static char* allocFromUTF32(const char32_t* in, size_t len) return getEmptyString(); } - const ssize_t bytes = utf32_to_utf8_length(in, len); - if (bytes < 0) { + const ssize_t resultStrLen = utf32_to_utf8_length(in, len) + 1; + if (resultStrLen < 1) { return getEmptyString(); } - SharedBuffer* buf = SharedBuffer::alloc(bytes+1); + SharedBuffer* buf = SharedBuffer::alloc(resultStrLen); ALOG_ASSERT(buf, "Unable to allocate shared buffer"); if (!buf) { return getEmptyString(); } - char* str = (char*) buf->data(); - utf32_to_utf8(in, len, str); + char* resultStr = (char*) buf->data(); + utf32_to_utf8(in, len, resultStr, resultStrLen); - return str; + return resultStr; } // --------------------------------------------------------------------------- |