diff options
| author | Adam Vartanian <flooey@google.com> | 2017-09-11 11:14:55 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2017-09-11 11:14:55 +0000 |
| commit | e2b5839d4cc63ed116fb0b682ee6963af303b41f (patch) | |
| tree | 467d3def2fc2e63b71ab3bb2b55f31bbe0b7e87c /libutils/Unicode.cpp | |
| parent | 3c31204e683ac0af321c67f9e55488a64ed3a35e (diff) | |
| parent | 16e2001f0b225a9fc4e4afe6f553a5a1c939333b (diff) | |
Fix integer overflow in utf{16,32}_to_utf8_length am: f0a43dede9 am: 33abf90994 am: 789673b15c am: 1436927851 am: d70e582d67 am: 62d5a78df3 am: 5b37a8ce87
am: 16e2001f0b
Change-Id: I217092b993f50a6380cf76049ebb94a99505b4a0
Diffstat (limited to 'libutils/Unicode.cpp')
| -rw-r--r-- | libutils/Unicode.cpp | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/libutils/Unicode.cpp b/libutils/Unicode.cpp index ba084f6ce..bfacf1ed7 100644 --- a/libutils/Unicode.cpp +++ b/libutils/Unicode.cpp @@ -18,6 +18,7 @@ #include <utils/Unicode.h> #include <stddef.h> +#include <limits.h> #if defined(_WIN32) # undef nhtol @@ -178,7 +179,15 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len) size_t ret = 0; const char32_t *end = src + src_len; while (src < end) { - ret += utf32_codepoint_utf8_length(*src++); + size_t char_len = utf32_codepoint_utf8_length(*src++); + if (SSIZE_MAX - char_len < ret) { + // If this happens, we would overflow the ssize_t type when + // returning from this function, so we cannot express how + // long this string is in an ssize_t. + android_errorWriteLog(0x534e4554, "37723026"); + return -1; + } + ret += char_len; } return ret; } @@ -438,14 +447,23 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) size_t ret = 0; const char16_t* const end = src + src_len; while (src < end) { + size_t char_len; if ((*src & 0xFC00) == 0xD800 && (src + 1) < end && (*(src + 1) & 0xFC00) == 0xDC00) { // surrogate pairs are always 4 bytes. - ret += 4; + char_len = 4; src += 2; } else { - ret += utf32_codepoint_utf8_length((char32_t) *src++); + char_len = utf32_codepoint_utf8_length((char32_t)*src++); + } + if (SSIZE_MAX - char_len < ret) { + // If this happens, we would overflow the ssize_t type when + // returning from this function, so we cannot express how + // long this string is in an ssize_t. + android_errorWriteLog(0x534e4554, "37723026"); + return -1; } + ret += char_len; } return ret; } |