You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by rl...@apache.org on 2021/08/24 05:19:56 UTC

[xerces-c] branch master updated: ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow

This is an automated email from the ASF dual-hosted git repository.

rleigh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/xerces-c.git


The following commit(s) were added to refs/heads/master by this push:
     new e335da5  ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow
     new b0e7b3c  Merge pull request #24 from rouault/fix_gdal_ossfuzz_35373
e335da5 is described below

commit e335da54127cd29091f6be97da97b24c9fd7c7e7
Author: Even Rouault <ev...@spatialys.com>
AuthorDate: Tue Aug 10 12:20:35 2021 +0200

    ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35373
    
    When charsDecoded == 0, the line ``for (index = 0; index < charsDecoded
    - 1; index++)`` will cause to read out of bounds of fSrcOffsets, due to
    unsigned integer underflow rules.
---
 src/xercesc/util/Transcoders/ICU/ICUTransService.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp b/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
index 7660fca..a7bff4e 100644
--- a/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
+++ b/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
@@ -563,7 +563,7 @@ ICUTranscoder::transcodeFrom(const  XMLByte* const          srcData
         {
             charSizes[0] = (unsigned char)bytesEaten;
         }
-        else
+        else if( charsDecoded > 0 )
         {
             //  ICU does not return an extra element to allow us to figure
             //  out the last char size, so we have to compute it from the
@@ -574,10 +574,9 @@ ICUTranscoder::transcodeFrom(const  XMLByte* const          srcData
                 charSizes[index] = (unsigned char)(fSrcOffsets[index + 1]
                                                     - fSrcOffsets[index]);
             }
-            if( charsDecoded > 0 ) {
-                charSizes[charsDecoded - 1] = (unsigned char)(bytesEaten
-                                              - fSrcOffsets[charsDecoded - 1]);
-            }
+
+            charSizes[charsDecoded - 1] = (unsigned char)(bytesEaten
+                                          - fSrcOffsets[charsDecoded - 1]);
         }
     }
 

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org