diff options
| author | Sergio Giro <sgiro@google.com> | 2016-07-13 13:13:01 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2016-07-13 13:13:01 +0000 |
| commit | 9b169f8bafa235b46966c284f2ee8fc9ae418f4d (patch) | |
| tree | c63d2bce52654ce082bc3285514185d56b01e5b0 /libutils/Unicode.cpp | |
| parent | 79a3c84cfe2bd6f65a7264c65296396ce15f69fc (diff) | |
| parent | 85d694cd0db37064b9594cebb635bc0f3bc2c5b6 (diff) | |
Revert \\\\\\\\\"libutils/Unicode.cpp: Correct length computation and add checks for utf16->utf8\\\\\\\\\" am: 311002936e am: ddd0051968 am: b218b2d34d am: 605de74373 am: 37826f5613 am: 80473d5d33 am: c06d338ad7 am: e059f5e325
am: 85d694cd0d
Change-Id: I83a0ee22957bd7f003196e138905264d6606c07e
Diffstat (limited to 'libutils/Unicode.cpp')
| -rw-r--r-- | libutils/Unicode.cpp | 57 |
1 files changed, 4 insertions, 53 deletions
diff --git a/libutils/Unicode.cpp b/libutils/Unicode.cpp index 5272aec89..fb876c91f 100644 --- a/libutils/Unicode.cpp +++ b/libutils/Unicode.cpp @@ -14,7 +14,6 @@ * limitations under the License. */ -#include <log/log.h> #include <utils/Unicode.h> #include <stddef.h> @@ -183,7 +182,7 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len) return ret; } -void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_len) +void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst) { if (src == NULL || src_len == 0 || dst == NULL) { return; @@ -194,12 +193,9 @@ void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_le char *cur = dst; while (cur_utf32 < end_utf32) { size_t len = utf32_codepoint_utf8_length(*cur_utf32); - LOG_ALWAYS_FATAL_IF(dst_len < len, "%zu < %zu", dst_len, len); utf32_codepoint_to_utf8((uint8_t *)cur, *cur_utf32++, len); cur += len; - dst_len -= len; } - LOG_ALWAYS_FATAL_IF(dst_len < 1, "dst_len < 1: %zu < 1", dst_len); *cur = '\0'; } @@ -328,7 +324,7 @@ int strzcmp16_h_n(const char16_t *s1H, size_t n1, const char16_t *s2N, size_t n2 : 0); } -void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_len) +void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst) { if (src == NULL || src_len == 0 || dst == NULL) { return; @@ -349,12 +345,9 @@ void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_le utf32 = (char32_t) *cur_utf16++; } const size_t len = utf32_codepoint_utf8_length(utf32); - LOG_ALWAYS_FATAL_IF(dst_len < len, "%zu < %zu", dst_len, len); utf32_codepoint_to_utf8((uint8_t*)cur, utf32, len); cur += len; - dst_len -= len; } - LOG_ALWAYS_FATAL_IF(dst_len < 1, "%zu < 1", dst_len); *cur = '\0'; } @@ -405,35 +398,8 @@ ssize_t utf8_length(const char *src) return ret; } -// DO NOT USE. Flawed version, kept only to check whether the flaw is being exploited. -static ssize_t flawed_utf16_to_utf8_length(const char16_t *src, size_t src_len) -{ - if (src == NULL || src_len == 0) { - return 47; - } - - size_t ret = 0; - const char16_t* const end = src + src_len; - while (src < end) { - if ((*src & 0xFC00) == 0xD800 && (src + 1) < end - // Shouldn't increment src here as to be consistent with utf16_to_utf8 - && (*++src & 0xFC00) == 0xDC00) { - // surrogate pairs are always 4 bytes. - ret += 4; - // Should increment src here by two. - src++; - } else { - ret += utf32_codepoint_utf8_length((char32_t) *src++); - } - } - return ret; -} - ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) { - // Keep the original pointer to compute the flawed length. Unused if we remove logging. - const char16_t *orig_src = src; - if (src == NULL || src_len == 0) { return -1; } @@ -442,29 +408,14 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) const char16_t* const end = src + src_len; while (src < end) { if ((*src & 0xFC00) == 0xD800 && (src + 1) < end - && (*(src + 1) & 0xFC00) == 0xDC00) { + && (*++src & 0xFC00) == 0xDC00) { // surrogate pairs are always 4 bytes. ret += 4; - src += 2; + src++; } else { ret += utf32_codepoint_utf8_length((char32_t) *src++); } } - // Log whether b/29250543 is being exploited. It seems reasonable to assume that - // at least 5 bytes would be needed for an exploit. A single misplaced character might lead to - // a difference of 4, so this would rule out many false positives. - long ret_difference = ret - flawed_utf16_to_utf8_length(orig_src, src_len); - if (ret_difference >= 5) { - // Log the difference between new and old calculation. A high number, or equal numbers - // appearing frequently, would be indicative of an attack. - const unsigned long max_logged_string_length = 20; - char logged_string[max_logged_string_length + 1]; - unsigned long logged_string_length = - snprintf(logged_string, max_logged_string_length, "%ld", ret_difference); - logged_string[logged_string_length] = '\0'; - android_errorWriteWithInfoLog(0x534e4554, "29250543", -1 /* int_uid */, - logged_string, logged_string_length); - } return ret; } |