coffee/uchardet
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/uchardet/uchardet.git synced 2025-12-06 16:56:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

Issue #33: crafted sequence of bytes triggers memory write past the bounds of…

Browse Source 
… a heap allocated buffer.

Before starting to process a multi-byte sequence, we should make sure
that our buffer is not nearly full with single-byte data. If so, process
said data first.
This commit is contained in:
Jehan 2023-07-17 18:46:35 +02:00
parent 8fe0b2e080
commit 9910941387
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/nsMBCSGroupProber.cpp
View File

@ -295,14 +295,25 @@ nsProbingState nsMBCSGroupProber::HandleData(const char* aBuf, PRUint32 aLen,
{ {
for (PRUint32 i = 0; i < NUM_OF_PROBERS; i++) for (PRUint32 i = 0; i < NUM_OF_PROBERS; i++)
{ {
int sequenceLength;
if (!mIsActive[i]) if (!mIsActive[i])
continue; continue;
sequenceLength = pos + 1 - start;
if (codePointBuffer[i] && codePointBufferIdx[i] + sequenceLength > codePointBufferSize[i])
{
for (PRUint32 j = 0; j < NUM_OF_LANGUAGES; j++)
langDetectors[i][j]->HandleData(codePointBuffer[i], codePointBufferIdx[i]);
codePointBufferIdx[i] = 0;
}
if (codePointBuffer[i]) if (codePointBuffer[i])
st = mProbers[i]->HandleData(aBuf + start, pos + 1 - start, st = mProbers[i]->HandleData(aBuf + start, sequenceLength,
&(codePointBuffer[i]), &(codePointBufferIdx[i])); &(codePointBuffer[i]), &(codePointBufferIdx[i]));
else else
st = mProbers[i]->HandleData(aBuf + start, pos + 1 - start, NULL, NULL); st = mProbers[i]->HandleData(aBuf + start, sequenceLength, NULL, NULL);
if (codePointBufferIdx[i] > 0 && codePointBuffer[i]) if (codePointBufferIdx[i] > 0 && codePointBuffer[i])
{ {