You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by "Alberto Massari (JIRA)" <xe...@xml.apache.org> on 2004/12/28 21:46:06 UTC

[jira] Closed: (XERCESC-1319) Buffer overflow in ICULCPTranscoder::transcode

     [ http://nagoya.apache.org/jira/browse/XERCESC-1319?page=history ]
     
Alberto Massari closed XERCESC-1319:
------------------------------------

    Resolution: Duplicate

Hi Alex,
I am closing this bug as duplicate of http://nagoya.apache.org/jira/browse/XERCESC-964. At the same time, I am reopening #964 as a new comment has been added after it was closed, and it is similar to your final comment about forcing the NULL termination.

Thanks,
Alberto

> Buffer overflow in ICULCPTranscoder::transcode
> ----------------------------------------------
>
>          Key: XERCESC-1319
>          URL: http://nagoya.apache.org/jira/browse/XERCESC-1319
>      Project: Xerces-C++
>         Type: Bug
>   Components: Utilities
>  Environment: All Platforms
>     Reporter: Alex R. Herbstritt
>  Attachments: saxbug01cz.xml
>
> I have found a bug in the transcoder code when transcoding from UTF-16 to UTF-8. We use Xerces against an in house library so I cannot include the code that reproduces the bug. But the bug has been reproduced on Windows and HPUX32. Instead I will give the details of the bug - along with the fix.
> The bug is a buffer over run that happens in a very special case. The fix for it is very simple. I find it hard to believe that nobody has seen this bug before.
> The problem is located in the file
> xercesc/util/Transcoders/ICU/ICUTranService.cpp
> in the method
> XMLCh* ICULCPTranscoder::transcode(const char* const toTranscode)
> with the function call ucnv_fromUChars:
> targetCap = ucnv_fromUChars
>         (
>             fConverter
>             , retBuf
>             , targetLen + 1
>             , actualSrc
>             , -1
>             , &err
>         );
> This is the function that is doing the actual conversion. The problem is with the "targetLen + 1" - this should be replaced with "targetLen". (Note that the call that follows has "targetCap", not "targetCap + 1".)
> The problem is that ucnv_fromUChars can fill the buffer up, including the space held for the null term. That is, targetCap is returned equaling targetLen+1, along with a U_STRING_NOT_TERMINATED_WARNING. This is all fine, until the end of the method where,
>     // Cap it off and return
>     retBuf[targetCap] = 0;
>     return retBuf;
> will place the null term outside of the buffer. That is, we should never let targetCap be larger than targetLen. (The buffer overflow will only happen when targetCap==targetLen+1.)
> Replacing "targetLen + 1" with "targetLen" results in a U_BUFFER_OVERFLOW_ERROR. This is correct, because in the overflow case the problem is that the new string created is one byte longer than the buffer that was allocated. So we want the error to cause a new buffer to be allocated.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org