[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: branches/KDE/3.5/kdelibs/kjs
From: Dirk Mueller <mueller () kde ! org>
Date: 2006-01-19 16:25:42
Message-ID: 1137687942.863909.25505.nullmailer () svn ! kde ! org
[Download RAW message or body]
SVN commit 500197 by mueller:
fix buffer overflow when decoding utf-8 uri sequences. Patch by Harri
Porten and myself.
M +13 -4 function.cpp
--- branches/KDE/3.5/kdelibs/kjs/function.cpp #500196:500197
@@ -77,7 +77,8 @@
}
else if (C.uc >= 0xD800 && C.uc <= 0xDBFF) {
- if (k == string.size()) {
+ // we need two chars
+ if (k + 1 >= string.size()) {
Object err = Error::create(exec,URIError);
exec->setException(err);
free(encbuf);
@@ -197,6 +198,10 @@
}
k += 2;
+
+ if (decbufLen+2 >= decbufAlloc)
+ decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
+
if ((B & 0x80) == 0) {
// Single-byte character
C = B;
@@ -257,6 +262,12 @@
assert(n == 4);
unsigned long uuuuu = ((octets[0] & 0x07) << 2) | ((octets[1] >> 4) & 0x03);
unsigned long vvvv = uuuuu-1;
+ if (vvvv > 0x0F) {
+ Object err = Error::create(exec,URIError);
+ exec->setException(err);
+ free(decbuf);
+ return UString();
+ }
unsigned long wwww = octets[1] & 0x0F;
unsigned long xx = (octets[2] >> 4) & 0x03;
unsigned long yyyy = octets[2] & 0x0F;
@@ -270,9 +281,7 @@
}
if (reservedSet.find(C) < 0) {
- if (decbufLen+1 >= decbufAlloc)
- decbuf = (UChar*)realloc(decbuf,(decbufAlloc *= 2)*sizeof(UChar));
- decbuf[decbufLen++] = C;
+ decbuf[decbufLen++] = C;
}
else {
while (decbufLen+k-start >= decbufAlloc)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic