Browse Source
Fix length checks in string conversion functions
We need to check the buffer length before accessing the incoming string. Probably not a problem in practice as there should be a final null in most incoming strings. Issue found by Pavel Cheremushkin from Kaspersky Lab.tags/v1.9.90
Pierre Ossman
4 years ago
1 changed files with 16 additions and 16 deletions
+ 16
- 16
common/rfb/util.cxx
View File
| // Compute output size | // Compute output size | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| if (*in != '\r') { | if (*in != '\r') { | ||||
| sz++; | sz++; | ||||
| in++; | in++; | ||||
| continue; | continue; | ||||
| } | } | ||||
| if ((in_len == 0) || (*(in+1) != '\n')) | |||||
| if ((in_len < 2) || (*(in+1) != '\n')) | |||||
| sz++; | sz++; | ||||
| in++; | in++; | ||||
| out = buffer; | out = buffer; | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| if (*in != '\r') { | if (*in != '\r') { | ||||
| *out++ = *in++; | *out++ = *in++; | ||||
| in_len--; | in_len--; | ||||
| continue; | continue; | ||||
| } | } | ||||
| if ((in_len == 0) || (*(in+1) != '\n')) | |||||
| if ((in_len < 2) || (*(in+1) != '\n')) | |||||
| *out++ = '\n'; | *out++ = '\n'; | ||||
| in++; | in++; | ||||
| // Compute output size | // Compute output size | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| sz++; | sz++; | ||||
| if (*in == '\r') { | if (*in == '\r') { | ||||
| if ((in_len == 0) || (*(in+1) != '\n')) | |||||
| if ((in_len < 2) || (*(in+1) != '\n')) | |||||
| sz++; | sz++; | ||||
| } else if (*in == '\n') { | } else if (*in == '\n') { | ||||
| if ((in == src) || (*(in-1) != '\r')) | if ((in == src) || (*(in-1) != '\r')) | ||||
| out = buffer; | out = buffer; | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| if (*in == '\n') { | if (*in == '\n') { | ||||
| if ((in == src) || (*(in-1) != '\r')) | if ((in == src) || (*(in-1) != '\r')) | ||||
| *out++ = '\r'; | *out++ = '\r'; | ||||
| *out = *in; | *out = *in; | ||||
| if (*in == '\r') { | if (*in == '\r') { | ||||
| if ((in_len == 0) || (*(in+1) != '\n')) { | |||||
| if ((in_len < 2) || (*(in+1) != '\n')) { | |||||
| out++; | out++; | ||||
| *out = '\n'; | *out = '\n'; | ||||
| } | } | ||||
| // Compute output size | // Compute output size | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| char buf[5]; | char buf[5]; | ||||
| sz += ucs4ToUTF8(*in, buf); | sz += ucs4ToUTF8(*in, buf); | ||||
| in++; | in++; | ||||
| out = buffer; | out = buffer; | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| out += ucs4ToUTF8(*in, out); | out += ucs4ToUTF8(*in, out); | ||||
| in++; | in++; | ||||
| in_len--; | in_len--; | ||||
| // Compute output size | // Compute output size | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| size_t len; | size_t len; | ||||
| unsigned ucs; | unsigned ucs; | ||||
| out = buffer; | out = buffer; | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| size_t len; | size_t len; | ||||
| unsigned ucs; | unsigned ucs; | ||||
| // Compute output size | // Compute output size | ||||
| in = src; | in = src; | ||||
| in_len = units; | in_len = units; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| size_t len; | size_t len; | ||||
| unsigned ucs; | unsigned ucs; | ||||
| char buf[5]; | char buf[5]; | ||||
| out = buffer; | out = buffer; | ||||
| in = src; | in = src; | ||||
| in_len = units; | in_len = units; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| size_t len; | size_t len; | ||||
| unsigned ucs; | unsigned ucs; | ||||
| // Compute output size | // Compute output size | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| size_t len; | size_t len; | ||||
| unsigned ucs; | unsigned ucs; | ||||
| wchar_t buf[3]; | wchar_t buf[3]; | ||||
| out = buffer; | out = buffer; | ||||
| in = src; | in = src; | ||||
| in_len = bytes; | in_len = bytes; | ||||
| while ((*in != '\0') && (in_len > 0)) { | |||||
| while ((in_len > 0) && (*in != '\0')) { | |||||
| size_t len; | size_t len; | ||||
| unsigned ucs; | unsigned ucs; | ||||
Loading…