You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by rl...@apache.org on 2021/08/24 05:19:56 UTC
[xerces-c] branch master updated: ICUTranscoder::transcodeFrom():
fix read heap-buffer-overflow
This is an automated email from the ASF dual-hosted git repository.
rleigh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/xerces-c.git
The following commit(s) were added to refs/heads/master by this push:
new e335da5 ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow
new b0e7b3c Merge pull request #24 from rouault/fix_gdal_ossfuzz_35373
e335da5 is described below
commit e335da54127cd29091f6be97da97b24c9fd7c7e7
Author: Even Rouault <ev...@spatialys.com>
AuthorDate: Tue Aug 10 12:20:35 2021 +0200
ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35373
When charsDecoded == 0, the line ``for (index = 0; index < charsDecoded
- 1; index++)`` will cause to read out of bounds of fSrcOffsets, due to
unsigned integer underflow rules.
---
src/xercesc/util/Transcoders/ICU/ICUTransService.cpp | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp b/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
index 7660fca..a7bff4e 100644
--- a/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
+++ b/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
@@ -563,7 +563,7 @@ ICUTranscoder::transcodeFrom(const XMLByte* const srcData
{
charSizes[0] = (unsigned char)bytesEaten;
}
- else
+ else if( charsDecoded > 0 )
{
// ICU does not return an extra element to allow us to figure
// out the last char size, so we have to compute it from the
@@ -574,10 +574,9 @@ ICUTranscoder::transcodeFrom(const XMLByte* const srcData
charSizes[index] = (unsigned char)(fSrcOffsets[index + 1]
- fSrcOffsets[index]);
}
- if( charsDecoded > 0 ) {
- charSizes[charsDecoded - 1] = (unsigned char)(bytesEaten
- - fSrcOffsets[charsDecoded - 1]);
- }
+
+ charSizes[charsDecoded - 1] = (unsigned char)(bytesEaten
+ - fSrcOffsets[charsDecoded - 1]);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org