[Minor] Fix buffer overflow due to libicu super safe macros

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Tue, 18 May 2021 11:43:22 +0000 (12:43 +0100)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Tue, 18 May 2021 11:43:22 +0000 (12:43 +0100)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Tue, 18 May 2021 11:43:22 +0000 (12:43 +0100)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Tue, 18 May 2021 11:43:22 +0000 (12:43 +0100)
diff --git a/src/libutil/cxx/utf8_util.cxx b/src/libutil/cxx/utf8_util.cxx

index 337961f2bb835e1c21302178807a06ad7de4d9c2..cf71ae2ae813a4d32aed4f6685e8de6c3828675d 100644 (file)
--- a/src/libutil/cxx/utf8_util.cxx
+++ b/src/libutil/cxx/utf8_util.cxx
@@ -136,6 +136,12 @@ rspamd_normalise_unicode_inplace(char *start, size_t *len)
                 size_t i = 0;
  
                 while(it.hasNext()) {
+                       /* libicu is very 'special' if it comes to 'safe' macro */
+                       if (i >= *len) {
+                               ret |= RSPAMD_UNICODE_NORM_ERROR;
+                               break;
+                       }
+
                         auto uc = it.next32PostInc();
  
                         if (zw_spaces.contains(uc)) {
@@ -143,12 +149,15 @@ rspamd_normalise_unicode_inplace(char *start, size_t *len)
                         }
                         else {
                                 UBool err = 0;
+
+                               if (uc == 0xFFFD) {
+                                       ret |= RSPAMD_UNICODE_NORM_UNNORMAL;
+                               }
                                 U8_APPEND((uint8_t*)start, i, *len, uc, err);
  
                                 if (err) {
-                                       ret = RSPAMD_UNICODE_NORM_ERROR;
-
-                                       return i;
+                                       ret |= RSPAMD_UNICODE_NORM_ERROR;
+                                       break;
                                 }
                         }
                 }
@@ -187,6 +196,9 @@ TEST_SUITE("utf8 utils") {
                                 /* Same with zw spaces */
                                 {"13\u200C_\u0020\u0308\u0301\u038e\u03ab\u200D", "13_ ̈́ΎΫ",
                                                                 RSPAMD_UNICODE_NORM_UNNORMAL|RSPAMD_UNICODE_NORM_ZERO_SPACES},
+                               /* Buffer overflow case */
+                               {"u\xC2\xC2\xC2\xC2\xC2\xC2""abcdef""abcdef", "u������",
+                                                               RSPAMD_UNICODE_NORM_UNNORMAL|RSPAMD_UNICODE_NORM_ERROR},
                 };
  
                 for (const auto &c : cases) {
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Tue, 18 May 2021 11:43:22 +0000 (12:43 +0100)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Tue, 18 May 2021 11:43:22 +0000 (12:43 +0100)