From 9910941387a4cad0d9f0360df2ccf6721fab8e2d Mon Sep 17 00:00:00 2001 From: Jehan Date: Mon, 17 Jul 2023 18:46:35 +0200 Subject: [PATCH] =?UTF-8?q?Issue=20#33:=20crafted=20sequence=20of=20bytes?= =?UTF-8?q?=20triggers=20memory=20write=20past=20the=20bounds=20of?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit … a heap allocated buffer. Before starting to process a multi-byte sequence, we should make sure that our buffer is not nearly full with single-byte data. If so, process said data first. --- src/nsMBCSGroupProber.cpp | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/nsMBCSGroupProber.cpp b/src/nsMBCSGroupProber.cpp index 9512f3a..d822a5a 100644 --- a/src/nsMBCSGroupProber.cpp +++ b/src/nsMBCSGroupProber.cpp @@ -295,14 +295,25 @@ nsProbingState nsMBCSGroupProber::HandleData(const char* aBuf, PRUint32 aLen, { for (PRUint32 i = 0; i < NUM_OF_PROBERS; i++) { + int sequenceLength; + if (!mIsActive[i]) continue; + sequenceLength = pos + 1 - start; + + if (codePointBuffer[i] && codePointBufferIdx[i] + sequenceLength > codePointBufferSize[i]) + { + for (PRUint32 j = 0; j < NUM_OF_LANGUAGES; j++) + langDetectors[i][j]->HandleData(codePointBuffer[i], codePointBufferIdx[i]); + codePointBufferIdx[i] = 0; + } + if (codePointBuffer[i]) - st = mProbers[i]->HandleData(aBuf + start, pos + 1 - start, + st = mProbers[i]->HandleData(aBuf + start, sequenceLength, &(codePointBuffer[i]), &(codePointBufferIdx[i])); else - st = mProbers[i]->HandleData(aBuf + start, pos + 1 - start, NULL, NULL); + st = mProbers[i]->HandleData(aBuf + start, sequenceLength, NULL, NULL); if (codePointBufferIdx[i] > 0 && codePointBuffer[i]) {