From 02f87f37dd8a71643feb01b0fd369ce640945f20 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Mon, 9 Sep 2019 16:47:36 +0200 Subject: [PATCH] Fix length checks in string conversion functions We need to check the buffer length before accessing the incoming string. Probably not a problem in practice as there should be a final null in most incoming strings. Issue found by Pavel Cheremushkin from Kaspersky Lab. --- common/rfb/util.cxx | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx index fc4f4ca4..6284bb81 100644 --- a/common/rfb/util.cxx +++ b/common/rfb/util.cxx @@ -127,7 +127,7 @@ namespace rfb { // Compute output size in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { if (*in != '\r') { sz++; in++; @@ -135,7 +135,7 @@ namespace rfb { continue; } - if ((in_len == 0) || (*(in+1) != '\n')) + if ((in_len < 2) || (*(in+1) != '\n')) sz++; in++; @@ -150,14 +150,14 @@ namespace rfb { out = buffer; in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { if (*in != '\r') { *out++ = *in++; in_len--; continue; } - if ((in_len == 0) || (*(in+1) != '\n')) + if ((in_len < 2) || (*(in+1) != '\n')) *out++ = '\n'; in++; @@ -182,11 +182,11 @@ namespace rfb { // Compute output size in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { sz++; if (*in == '\r') { - if ((in_len == 0) || (*(in+1) != '\n')) + if ((in_len < 2) || (*(in+1) != '\n')) sz++; } else if (*in == '\n') { if ((in == src) || (*(in-1) != '\r')) @@ -205,7 +205,7 @@ namespace rfb { out = buffer; in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { if (*in == '\n') { if ((in == src) || (*(in-1) != '\r')) *out++ = '\r'; @@ -214,7 +214,7 @@ namespace rfb { *out = *in; if (*in == '\r') { - if ((in_len == 0) || (*(in+1) != '\n')) { + if ((in_len < 2) || (*(in+1) != '\n')) { out++; *out = '\n'; } @@ -376,7 +376,7 @@ namespace rfb { // Compute output size in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { char buf[5]; sz += ucs4ToUTF8(*in, buf); in++; @@ -391,7 +391,7 @@ namespace rfb { out = buffer; in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { out += ucs4ToUTF8(*in, out); in++; in_len--; @@ -414,7 +414,7 @@ namespace rfb { // Compute output size in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { size_t len; unsigned ucs; @@ -432,7 +432,7 @@ namespace rfb { out = buffer; in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { size_t len; unsigned ucs; @@ -464,7 +464,7 @@ namespace rfb { // Compute output size in = src; in_len = units; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { size_t len; unsigned ucs; char buf[5]; @@ -484,7 +484,7 @@ namespace rfb { out = buffer; in = src; in_len = units; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { size_t len; unsigned ucs; @@ -513,7 +513,7 @@ namespace rfb { // Compute output size in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { size_t len; unsigned ucs; wchar_t buf[3]; @@ -533,7 +533,7 @@ namespace rfb { out = buffer; in = src; in_len = bytes; - while ((*in != '\0') && (in_len > 0)) { + while ((in_len > 0) && (*in != '\0')) { size_t len; unsigned ucs; -- 2.39.5