DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21990>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21990 ICULCPTranscoder::transcode memory leak [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ICULCPTranscoder::transcode |ICULCPTranscoder::transcode |memory leak |memory leak ------- Additional Comments From [EMAIL PROTECTED] 2003-08-22 20:03 ------- I confirmed the bug reported by Junichi. When the length of converted characters (from Unicode to chars) is the same as that of retBuf, ICU does convert, but does not write a terminating-NULL because no-space left. In this case ICU puts U_STRING_NOT_TERMINATED_WARNING to err, though this case is not checked. In this case, transcode() will put terminating-null to the next byte of the end of the buffer, causing buffer overrun. What we have to do to fix this bug is... - Check err has U_STRING_NOT_TERMINATED_WARNING. if so, - Allocate a new larger buffer that can save a terminating-null. - We already have the converted chars in retbuf, therefore put converted string in retBuf and a terminating-null to the newly-allocated buffer. - delete retBuf, and return the new buffer. After adding the above codes, we don't have to cap the buffer as seen in the end of transcode(). Here's the patch to do it. --- util/Transcoders/ICU/ICUTransService.cpp.org 2003-06-17 16:38:35.000000000 +0900 +++ util/Transcoders/ICU/ICUTransService.cpp 2003-08-22 21:43:50.000000000 +0900 @@ -906,6 +906,20 @@ ); } + + // If targetCap is equal to targetLen + 1, terminating-NULL is not written. + if (err == U_STRING_NOT_TERMINATED_WARNING) { + // + // We have the converted string in retBuf. + // Put the string in retBuf and terminating-NULL into a newly-allocated buffer. + // + char* newRetBuf = new char[targetCap + 1]; + memcpy(newRetBuf, retBuf, targetCap); + newRetBuf[targetCap] = 0; + delete [] retBuf; + return newRetBuf; + } + // If targetLen is not enough then buffer overflow might occur if (err == U_BUFFER_OVERFLOW_ERROR) { @@ -936,8 +950,6 @@ return 0; } - // Cap it off and return - retBuf[targetCap] = 0; return retBuf; } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
