aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Ossman <ossman@cendio.se>2019-09-09 16:47:36 +0200
committerPierre Ossman <ossman@cendio.se>2019-09-25 15:54:34 +0200
commit02f87f37dd8a71643feb01b0fd369ce640945f20 (patch)
tree7cc7640d43a6966de3659090b5ce8e2491c6383c
parent07993b26c96d7ab0c20bfacd5352a0f131c23029 (diff)
downloadtigervnc-02f87f37dd8a71643feb01b0fd369ce640945f20.tar.gz
tigervnc-02f87f37dd8a71643feb01b0fd369ce640945f20.zip
Fix length checks in string conversion functions
We need to check the buffer length before accessing the incoming string. Probably not a problem in practice as there should be a final null in most incoming strings. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Diffstat
-rw-r--r--common/rfb/util.cxx32
1 files changed, 16 insertions, 16 deletions
diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
index fc4f4ca4..6284bb81 100644
--- a/common/rfb/util.cxx
+++ b/common/rfb/util.cxx
@@ -127,7 +127,7 @@ namespace rfb {
// Compute output size
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
if (*in != '\r') {
sz++;
in++;
@@ -135,7 +135,7 @@ namespace rfb {
continue;
}
- if ((in_len == 0) || (*(in+1) != '\n'))
+ if ((in_len < 2) || (*(in+1) != '\n'))
sz++;
in++;
@@ -150,14 +150,14 @@ namespace rfb {
out = buffer;
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
if (*in != '\r') {
*out++ = *in++;
in_len--;
continue;
}
- if ((in_len == 0) || (*(in+1) != '\n'))
+ if ((in_len < 2) || (*(in+1) != '\n'))
*out++ = '\n';
in++;
@@ -182,11 +182,11 @@ namespace rfb {
// Compute output size
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
sz++;
if (*in == '\r') {
- if ((in_len == 0) || (*(in+1) != '\n'))
+ if ((in_len < 2) || (*(in+1) != '\n'))
sz++;
} else if (*in == '\n') {
if ((in == src) || (*(in-1) != '\r'))
@@ -205,7 +205,7 @@ namespace rfb {
out = buffer;
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
if (*in == '\n') {
if ((in == src) || (*(in-1) != '\r'))
*out++ = '\r';
@@ -214,7 +214,7 @@ namespace rfb {
*out = *in;
if (*in == '\r') {
- if ((in_len == 0) || (*(in+1) != '\n')) {
+ if ((in_len < 2) || (*(in+1) != '\n')) {
out++;
*out = '\n';
}
@@ -376,7 +376,7 @@ namespace rfb {
// Compute output size
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
char buf[5];
sz += ucs4ToUTF8(*in, buf);
in++;
@@ -391,7 +391,7 @@ namespace rfb {
out = buffer;
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
out += ucs4ToUTF8(*in, out);
in++;
in_len--;
@@ -414,7 +414,7 @@ namespace rfb {
// Compute output size
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
size_t len;
unsigned ucs;
@@ -432,7 +432,7 @@ namespace rfb {
out = buffer;
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
size_t len;
unsigned ucs;
@@ -464,7 +464,7 @@ namespace rfb {
// Compute output size
in = src;
in_len = units;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
size_t len;
unsigned ucs;
char buf[5];
@@ -484,7 +484,7 @@ namespace rfb {
out = buffer;
in = src;
in_len = units;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
size_t len;
unsigned ucs;
@@ -513,7 +513,7 @@ namespace rfb {
// Compute output size
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
size_t len;
unsigned ucs;
wchar_t buf[3];
@@ -533,7 +533,7 @@ namespace rfb {
out = buffer;
in = src;
in_len = bytes;
- while ((*in != '\0') && (in_len > 0)) {
+ while ((in_len > 0) && (*in != '\0')) {
size_t len;
unsigned ucs;
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-31 18:47:15 +0000