Re: [fltk.bugs] [HIGH] STR #2279: fl_utf8from_mb fail to work frequently.

Sat, 23 Jan 2010 22:17:36 -0800 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR Pending]

Link: http://www.fltk.org/str.php?L2279
Version: 1.3-current
Fix Version: 1.3-current (r7021)


Yes, I call fl_utf8from_mb to convert the encoding of a long string from
locale-specific multi-byte encodings to UTF-8. The string in 
"These_Thinks_Shall_Never_Die.txt"(http://www.fltk.org/strfiles/2279/fl_utf8from_mb_patch.zip)
is a sample for GBK encoding.

For filename with length less than 1024 bytes, the segmentation error
triggered by function "free()" may not appear due to filename length
limit. To clear this, part of the original code in file "fl_utf.c" is
listed here with additional comments:
    wchar_t lbuf[1024];
    wchar_t* buf = lbuf;
    int length;
    unsigned ret;
    length = mbstowcs(buf, src, 1024);
    /* NOTICE here,  if length >=1024, then buf!=lbuf */
    if (length >= 1024) { 
      length = mbstowcs(0, src, 0)+1;
      /* Should be fixed for length>=1024 */
      buf = (wchar_t*)(malloc(length*sizeof(unsigned short))); 
      /* Buffer overflow */
      mbstowcs(buf, src, length);
    }
    if (length >= 0) {
      ret = fl_utf8fromwc(dst, dstlen, buf, length);
      /* NOTICE here, free -> Segmentation error */
      if (buf != lbuf) free((void*)buf);
      return ret;
    }
The maximum of filename length is generally less than
255(http://en.wikipedia.org/wiki/Comparison_of_file_systems), and the var
"length" must be less than the size of src in bytes. So the expression
"length >=1024" will be surely false. Theorefore function "malloc()" and
"free()" will not be called.
 

To confirm the buffer overflow in other encoding, please see the latest
sample codes(http://www.fltk.org/strfiles/2279/mbs.c).

 ./mbs 
*** glibc detected *** ./mbs: double free or corruption (!prev):
0x08f3ada8 ***
======= Backtrace: =========
/lib/libc.so.6[0xb77bc714]
/lib/libc.so.6(cfree+0x9c)[0xb77bdfcc]
./mbs[0x8048549]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb7767725]
./mbs[0x80483d1]
...


Link: http://www.fltk.org/str.php?L2279
Version: 1.3-current
Fix Version: 1.3-current (r7021)

_______________________________________________
fltk-bugs mailing list
[email protected]
http://lists.easysw.com/mailman/listinfo/fltk-bugs

Reply via email to