[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    branches/KDE/3.5/kdelibs/kjs
From:       Dirk Mueller <mueller () kde ! org>
Date:       2006-01-19 16:25:42
Message-ID: 1137687942.863909.25505.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 500197 by mueller:

fix buffer overflow when decoding utf-8 uri sequences. Patch by Harri
Porten and myself.


 M  +13 -4     function.cpp  


--- branches/KDE/3.5/kdelibs/kjs/function.cpp #500196:500197
@@ -77,7 +77,8 @@
       }
       else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
 
-	if (k == string.size()) {
+        // we need two chars
+	if (k + 1 >= string.size()) {
 	  Object err = Error::create(exec,URIError);
 	  exec->setException(err);
 	  free(encbuf);
@@ -197,6 +198,10 @@
     }
 
     k += 2;
+
+    if (decbufLen+2 >= decbufAlloc)
+        decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+
     if ((B & 0x80) == 0) {
       // Single-byte character
       C = B;
@@ -257,6 +262,12 @@
 	assert(n == 4);
 	unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
 	unsigned long vvvv = uuuuu-1;
+	if (vvvv > 0x0F) {
+          Object err = Error::create(exec,URIError);
+	  exec->setException(err);
+	  free(decbuf);
+	  return UString();
+	}        
 	unsigned long wwww = octets[1] & 0x0F;
 	unsigned long xx = (octets[2] >> 4) & 0x03;
 	unsigned long yyyy = octets[2] & 0x0F;
@@ -270,9 +281,7 @@
     }
 
     if (reservedSet.find(C) < 0) {
-      if (decbufLen+1 >= decbufAlloc)
-	decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
-      decbuf[decbufLen++] = C;
+        decbuf[decbufLen++] = C;
     }
     else {
       while (decbufLen+k-start >= decbufAlloc)
[prev in list] [next in list] [prev in thread] [next in thread]