diff options
author | Wan-Teh Chang <wtc@google.com> | 2013-05-13 16:12:33 -0700 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2013-05-13 16:12:33 -0700 |
commit | 8c35f46f07b4e2367fb3ede3cd69a51c509467ba (patch) | |
tree | 89c77a588d02ace5cd6d15917e47c81b93365a11 /lib/certdb | |
parent | 963c27f00965adac33a1c87fdd91eb04a26fd85c (diff) | |
download | nss-hg-8c35f46f07b4e2367fb3ede3cd69a51c509467ba.tar.gz |
Bug 869262: AppendAVA() should pass the the minimum of avaValue->len and
valueLen to escapeAndQuote() to avoid reading beyond the end of the
avaValue->data buffer. r=sleevi.
Diffstat (limited to 'lib/certdb')
-rw-r--r-- | lib/certdb/alg1485.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/certdb/alg1485.c b/lib/certdb/alg1485.c index 17bbfda5e..edb95af48 100644 --- a/lib/certdb/alg1485.c +++ b/lib/certdb/alg1485.c @@ -1036,8 +1036,10 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict) } else { /* must truncate the escaped and quoted value */ char bigTmpBuf[TMPBUF_LEN * 3 + 3]; + PORT_Assert(valueLen < sizeof tmpBuf); rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf, - (char *)avaValue->data, valueLen, &mode); + (char *)avaValue->data, + PR_MIN(avaValue->len, valueLen), &mode); bigTmpBuf[valueLen--] = '\0'; /* hard stop here */ /* See if we're in the middle of a multi-byte UTF8 character */ |