diff options
author | Eric Anholt <anholt@FreeBSD.org> | 2005-12-22 06:27:44 +0000 |
---|---|---|
committer | Eric Anholt <anholt@FreeBSD.org> | 2005-12-22 06:27:44 +0000 |
commit | cc4c61c3126533224bef93898ea5dd2ba13ed1fc (patch) | |
tree | bc676c93eea0cddf4fc6f2640357b16f29499515 /liboil/utf8 | |
parent | df60cc40e727d28aa18631b563214d9e9366e124 (diff) | |
download | liboil-cc4c61c3126533224bef93898ea5dd2ba13ed1fc.tar.gz |
Check for overflows in fast utf8 functions where truncated wide
characters would result in reads past the end of the buffer. Fixes
testsuite failures.
Diffstat (limited to 'liboil/utf8')
-rw-r--r-- | liboil/utf8/utf8_fast.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/liboil/utf8/utf8_fast.c b/liboil/utf8/utf8_fast.c index 077c63a..2c1cf73 100644 --- a/liboil/utf8/utf8_fast.c +++ b/liboil/utf8/utf8_fast.c @@ -94,6 +94,7 @@ utf8_validate_fast2 (int32_t *d_1, uint8_t *s, int n) } x <<= 1; if (!(x & 0x80)) { + if (i + 1 >= n) goto error; i++; if ((s[i] & 0xc0) != 0x80) goto error; i++; @@ -101,6 +102,7 @@ utf8_validate_fast2 (int32_t *d_1, uint8_t *s, int n) } x <<= 1; if (!(x & 0x80)) { + if (i + 2 >= n) goto error; i++; if ((s[i] & 0xc0) != 0x80) goto error; i++; @@ -110,6 +112,7 @@ utf8_validate_fast2 (int32_t *d_1, uint8_t *s, int n) } x <<= 1; if (!(x & 0x80)) { + if (i + 3 >= n) goto error; i++; if ((s[i] & 0xc0) != 0x80) goto error; i++; @@ -148,12 +151,14 @@ utf8_validate_fast3 (int32_t *d_1, uint8_t *s, int n) goto error; } if (!(x & 0x20)) { + if (i + 1 >= n) goto error; i++; if ((s[i] & 0xc0) != 0x80) goto error; i++; continue; } if (!(x & 0x10)) { + if (i + 2 >= n) goto error; i++; if ((s[i] & 0xc0) != 0x80) goto error; i++; @@ -162,6 +167,7 @@ utf8_validate_fast3 (int32_t *d_1, uint8_t *s, int n) continue; } if (!(x & 0x08)) { + if (i + 3 >= n) goto error; i++; if ((s[i] & 0xc0) != 0x80) goto error; i++; @@ -208,7 +214,7 @@ utf8_validate_lookup (int32_t *d_1, uint8_t *s, int n) while (i<n) { x = utf8_table[s[i]]; if (x > 0) { - if (x == 8) goto error; + if (x == 8 || i + x >= n) goto error; while (x>0) { i++; if ((s[i] & 0xc0) != 0x80) goto error; |