diff options
author | nelsonb%netscape.com <devnull@localhost> | 2003-11-27 05:08:20 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2003-11-27 05:08:20 +0000 |
commit | ddf94261a4b167b9cae9b614942551b3449ed201 (patch) | |
tree | 3d6f52b7e02004408c2545eecfc83193a1f88510 /security/nss | |
parent | d470467a53cd099ddb43b9772e422eb0766249a9 (diff) | |
download | nss-hg-ddf94261a4b167b9cae9b614942551b3449ed201.tar.gz |
Detect invalid input buffer lengths, and return error instead of UMR>
Bugscape bug 54021. r=wchang0222
Diffstat (limited to 'security/nss')
-rw-r--r-- | security/nss/lib/util/utf8.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/security/nss/lib/util/utf8.c b/security/nss/lib/util/utf8.c index 7a3c3954d..013f202a9 100644 --- a/security/nss/lib/util/utf8.c +++ b/security/nss/lib/util/utf8.c @@ -236,6 +236,11 @@ sec_port_ucs4_utf8_conversion_function return PR_TRUE; } else { unsigned int i, len = 0; + PORT_Assert((inBufLen % 4) == 0); + if ((inBufLen % 4) != 0) { + *outBufLen = 0; + return PR_FALSE; + } for( i = 0; i < inBufLen; i += 4 ) { if( inBuf[i+L_0] >= 0x04 ) len += 6; @@ -457,6 +462,11 @@ sec_port_ucs2_utf8_conversion_function return PR_TRUE; } else { unsigned int i, len = 0; + PORT_Assert((inBufLen % 2) == 0); + if ((inBufLen % 2) != 0) { + *outBufLen = 0; + return PR_FALSE; + } for( i = 0; i < inBufLen; i += 2 ) { if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_0] & 0x80) == 0x00) ) len += 1; |