Bug 869262: AppendAVA() should pass the the minimum of avaValue->len and

valueLen to escapeAndQuote() to avoid reading beyond the end of the avaValue->data buffer. r=sleevi.
author: Wan-Teh Chang <wtc@google.com> 2013-05-13 16:12:33 -0700
committer: Wan-Teh Chang <wtc@google.com> 2013-05-13 16:12:33 -0700
commit: 8c35f46f07b4e2367fb3ede3cd69a51c509467ba (patch)
tree: 89c77a588d02ace5cd6d15917e47c81b93365a11 /lib/certdb
parent: 963c27f00965adac33a1c87fdd91eb04a26fd85c (diff)
download: nss-hg-8c35f46f07b4e2367fb3ede3cd69a51c509467ba.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/certdb/alg1485.c b/lib/certdb/alg1485.c
index 17bbfda5e..edb95af48 100644
--- a/lib/certdb/alg1485.c
+++ b/lib/certdb/alg1485.c
@@ -1036,8 +1036,10 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
     } else {
 	/* must truncate the escaped and quoted value */
 	char bigTmpBuf[TMPBUF_LEN * 3 + 3];
+	PORT_Assert(valueLen < sizeof tmpBuf);
 	rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf,
-			    (char *)avaValue->data, valueLen, &mode);
+			    (char *)avaValue->data,
+			    PR_MIN(avaValue->len, valueLen), &mode);
 
 	bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
 	/* See if we're in the middle of a multi-byte UTF8 character */
author	Wan-Teh Chang <wtc@google.com>	2013-05-13 16:12:33 -0700
committer	Wan-Teh Chang <wtc@google.com>	2013-05-13 16:12:33 -0700
commit	8c35f46f07b4e2367fb3ede3cd69a51c509467ba (patch)
tree	89c77a588d02ace5cd6d15917e47c81b93365a11 /lib/certdb
parent	963c27f00965adac33a1c87fdd91eb04a26fd85c (diff)
download	nss-hg-8c35f46f07b4e2367fb3ede3cd69a51c509467ba.tar.gz