diff options
Diffstat (limited to 'libutils/Unicode.cpp')
| -rw-r--r-- | libutils/Unicode.cpp | 57 |
1 files changed, 4 insertions, 53 deletions
diff --git a/libutils/Unicode.cpp b/libutils/Unicode.cpp index a75c258f1..a66e3bbbb 100644 --- a/libutils/Unicode.cpp +++ b/libutils/Unicode.cpp @@ -14,7 +14,6 @@ * limitations under the License. */ -#include <log/log.h> #include <utils/Unicode.h> #include <stddef.h> @@ -189,7 +188,7 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len) return ret; } -void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_len) +void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst) { if (src == NULL || src_len == 0 || dst == NULL) { return; @@ -200,12 +199,9 @@ void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst, size_t dst_le char *cur = dst; while (cur_utf32 < end_utf32) { size_t len = utf32_codepoint_utf8_length(*cur_utf32); - LOG_ALWAYS_FATAL_IF(dst_len < len, "%zu < %zu", dst_len, len); utf32_codepoint_to_utf8((uint8_t *)cur, *cur_utf32++, len); cur += len; - dst_len -= len; } - LOG_ALWAYS_FATAL_IF(dst_len < 1, "dst_len < 1: %zu < 1", dst_len); *cur = '\0'; } @@ -334,7 +330,7 @@ int strzcmp16_h_n(const char16_t *s1H, size_t n1, const char16_t *s2N, size_t n2 : 0); } -void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_len) +void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst) { if (src == NULL || src_len == 0 || dst == NULL) { return; @@ -354,12 +350,9 @@ void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst, size_t dst_le utf32 = (char32_t) *cur_utf16++; } const size_t len = utf32_codepoint_utf8_length(utf32); - LOG_ALWAYS_FATAL_IF(dst_len < len, "%zu < %zu", dst_len, len); utf32_codepoint_to_utf8((uint8_t*)cur, utf32, len); cur += len; - dst_len -= len; } - LOG_ALWAYS_FATAL_IF(dst_len < 1, "%zu < 1", dst_len); *cur = '\0'; } @@ -410,35 +403,8 @@ ssize_t utf8_length(const char *src) return ret; } -// DO NOT USE. Flawed version, kept only to check whether the flaw is being exploited. -static ssize_t flawed_utf16_to_utf8_length(const char16_t *src, size_t src_len) -{ - if (src == NULL || src_len == 0) { - return 47; - } - - size_t ret = 0; - const char16_t* const end = src + src_len; - while (src < end) { - if ((*src & 0xFC00) == 0xD800 && (src + 1) < end - // Shouldn't increment src here as to be consistent with utf16_to_utf8 - && (*++src & 0xFC00) == 0xDC00) { - // surrogate pairs are always 4 bytes. - ret += 4; - // Should increment src here by two. - src++; - } else { - ret += utf32_codepoint_utf8_length((char32_t) *src++); - } - } - return ret; -} - ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) { - // Keep the original pointer to compute the flawed length. Unused if we remove logging. - const char16_t *orig_src = src; - if (src == NULL || src_len == 0) { return -1; } @@ -447,29 +413,14 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) const char16_t* const end = src + src_len; while (src < end) { if ((*src & 0xFC00) == 0xD800 && (src + 1) < end - && (*(src + 1) & 0xFC00) == 0xDC00) { + && (*++src & 0xFC00) == 0xDC00) { // surrogate pairs are always 4 bytes. ret += 4; - src += 2; + src++; } else { ret += utf32_codepoint_utf8_length((char32_t) *src++); } } - // Log whether b/29250543 is being exploited. It seems reasonable to assume that - // at least 5 bytes would be needed for an exploit. A single misplaced character might lead to - // a difference of 4, so this would rule out many false positives. - long ret_difference = ret - flawed_utf16_to_utf8_length(orig_src, src_len); - if (ret_difference >= 5) { - // Log the difference between new and old calculation. A high number, or equal numbers - // appearing frequently, would be indicative of an attack. - const unsigned long max_logged_string_length = 20; - char logged_string[max_logged_string_length + 1]; - unsigned long logged_string_length = - snprintf(logged_string, max_logged_string_length, "%ld", ret_difference); - logged_string[logged_string_length] = '\0'; - android_errorWriteWithInfoLog(0x534e4554, "29250543", -1 /* int_uid */, - logged_string, logged_string_length); - } return ret; } |