[prev in list] [next in list] [prev in thread] [next in thread] 

List:       icu-bugrfe
Subject:    Notification: incoming/1865
From:       jtcsv () jtcsv ! com
Date:       2002-04-17 18:50:18
[Download RAW message or body]

ICU bug tracking notification

new message incoming/1865

Message summary for PR#1865
	From: jc@roguewave.com
	Subject: buffer overrun in ucol_calcSortKey()
	Date: Wed Apr 17 14:50:17 2002
	0 replies 	0 followups

====> ORIGINAL MESSAGE FOLLOWS <====

From: jc@roguewave.com
To: jtcsv@jtcsv.com
Date: Wed Apr 17 14:50:17 2002
Subject: buffer overrun in ucol_calcSortKey()

Full_Name: Carolyn Wasikowski
Version: 200
OS: all
PROJECT: ICU4C,ICU4J and ICU4JNI
JAVA:   
ICU_Component: collation
Submission from: (NULL) (12.22.36.198)


ucol_calcSortKey() and ucol_calcSortKeySimpleTertiary() both include code 
for preventing buffer overruns, but the code contains bugs.  They seem to 
work okay as far as actual collation weight values are concerned, but they
aren't careful enough when it comes to placing 0x01 "level terminators" 
between the different collation weight levels.

The program included below reproduces this problem, on both Windows and
Solaris. 

-JC

jc@roguewave.com
http://www.roguewave.com




#include <unicode/unistr.h>
#include <unicode/ucol.h>
#include <unicode/ucnv.h>
#include <stdio.h>

int
main(int argc, char *argv[])
{
  UErrorCode status = U_ZERO_ERROR;
  UConverter *converter = ucnv_open("Latin1", &status);
  UnicodeString str(" British the", -1, converter, status);
  UCollator *collator = ucol_open("en", &status);
  ucol_setAttribute(collator, UCOL_STRENGTH, UCOL_IDENTICAL, &status);
  if (U_FAILURE(status)) {
    fprintf(stderr, "Abandon ship!\n");
    return 1;
  } // if

  // normally, we'd create a buffer 4 times the length of the string,
  // as http://www-124.ibm.com/icu/userguide/Collate_API.html recommends.
  // but for the purpose of this test case, we'll hard-code a buffer size
  /*** int32_t bufSize = str.length() << 2; ***/
  int32_t bufSize = 14;
  uint8_t *buffer = new uint8_t[bufSize];
  printf("length:  %d\n", str.length());
  printf("bufSize:  %d\n", bufSize);

  // attempt to fill buffer.  AT THIS POINT, ucol_calcSortKey() WILL
  // OVERRUN THE BUFFER BY TWO BYTES
  int32_t correctSize = ucol_getSortKey(collator, str.getBuffer(),
   str.length(), buffer, bufSize);
  printf("correctSize:  %d\n", correctSize);

  // print out the buffer (but not the bytes written past the buffer). 
  // note that the last couple bytes are level terminators
  uint8_t *ptr = buffer;
  printf("original key:\n");
  for (int i = 0; i < bufSize; ++i) {
    int v = (int)buffer[i];
    printf(" %x", v);
  } // for
  printf("\n");

  // was the buffer too small?  try again
  if (bufSize < correctSize) {
    printf("create a bigger buffer, try again...\n");
    delete[] buffer;
    buffer = new uint8_t[correctSize];
    ucol_getSortKey(collator, str.getBuffer(), str.length(), buffer,
     correctSize);
  } // if

  // print out the correct sort key.  compare with the buffer printed
  // above
  printf("correct key:\n");
  for (int i = 0; i < correctSize; ++i) {
    int v = (int)buffer[i];
    printf(" %x", v);
  } // for
  printf("\n");

  delete[] buffer;
  ucol_close(collator);
  ucnv_close(converter);

  return 0;
} // mai
_______________________________________________
icu-bugrfe mailing list
icu-bugrfe@oss.software.ibm.com
http://oss.software.ibm.com/developerworks/oss/mailman/listinfo/icu-bugrfe
[prev in list] [next in list] [prev in thread] [next in thread]