Commit: 88facb8876c3943685e0b69a5c2f01d77f136252
Author: Bastien Montagne
Date: Thu Feb 26 11:20:47 2015 +0100
Branches: master
https://developer.blender.org/rB88facb8876c3943685e0b69a5c2f01d77f136252
Fix potential buffer overflow in `BLI_strncpy_wchar_as_utf8()`.
===================================================================
M source/blender/blenlib/intern/string_utf8.c
===================================================================
diff --git a/source/blender/blenlib/intern/string_utf8.c
b/source/blender/blenlib/intern/string_utf8.c
index f293004..c93c3cf 100644
--- a/source/blender/blenlib/intern/string_utf8.c
+++ b/source/blender/blenlib/intern/string_utf8.c
@@ -249,6 +249,7 @@ char *BLI_strncat_utf8(char *__restrict dst, const char
*__restrict src, size_t
size_t BLI_strncpy_wchar_as_utf8(char *__restrict dst, const wchar_t
*__restrict src, const size_t maxncpy)
{
const size_t maxlen = maxncpy - 1;
+ const size_t maxlen_secured = ((int)maxlen - 6) < 0 ? 0 : maxlen - 6;
/* 6 is max utf8 length of an unicode char. */
size_t len = 0;
BLI_assert(maxncpy != 0);
@@ -257,10 +258,23 @@ size_t BLI_strncpy_wchar_as_utf8(char *__restrict dst,
const wchar_t *__restrict
memset(dst, 0xff, sizeof(*dst) * maxncpy);
#endif
- while (*src && len < maxlen) { /* XXX can still run over the buffer
because utf8 size isn't known :| */
+ while (*src && len < maxlen_secured) {
len += BLI_str_utf8_from_unicode((unsigned int)*src++, dst +
len);
}
+ /* We have to be more careful for the last six bytes, to avoid buffer
overflow in case utf8-encoded char
+ * would be too long for our dst buffer. */
+ while (*src) {
+ char t[6];
+ size_t l = BLI_str_utf8_from_unicode((unsigned int)*src++, t);
+ BLI_assert(l <= 6);
+ if (len + l >= maxlen) {
+ break;
+ }
+ memcpy(dst + len, t, l);
+ len += l;
+ }
+
dst[len] = '\0';
return len;
_______________________________________________
Bf-blender-cvs mailing list
[email protected]
http://lists.blender.org/mailman/listinfo/bf-blender-cvs
