Ticket #1012: Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report)

git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@3047 74dad513-b988-da41-8d7b-12977e46ad98
2010-01-06 14:35:13 +00:00 · 2010-01-06 14:35:13 +00:00 · ebeeb1bf52
parent caecfd4c40
commit ebeeb1bf52
2 changed files with 22 additions and 4 deletions
--- a/pjlib/src/pj/unicode_symbian.cpp
+++ b/pjlib/src/pj/unicode_symbian.cpp
@ -38,7 +38,10 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode( const char *str, pj_size_t len,
 	// Error, or there are unconvertable characters
 	*wbuf = 0;
    } else {
-	wbuf[len] = 0;
+	if (len < wbuf_count)
+	    wbuf[len] = 0;
+	else
+	    wbuf[len-1] = 0;
    }

    return wbuf;
@ -61,7 +64,10 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len,
 	// Error, or there are unconvertable characters
 	buf[0] = '\0';
    } else {
-	buf[len] = '\0';
+	if (len < buf_size)
+	    buf[len] = '\0';
+	else
+	    buf[len-1] = '\0';
    }

    return buf;
--- a/pjlib/src/pj/unicode_win32.c
+++ b/pjlib/src/pj/unicode_win32.c
@ -30,7 +30,13 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len,

    len = MultiByteToWideChar(CP_ACP, 0, s, len, 
 			      buf, buf_count);
-    buf[len] = 0;
+    if (buf_count) {
+	if (len < buf_count)
+	    buf[len] = 0;
+	else
+	    buf[len-1] = 0;
+    }
+
    return buf;
 }

@ -41,7 +47,13 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len,
    PJ_ASSERT_RETURN(wstr && buf, NULL);

    len = WideCharToMultiByte(CP_ACP, 0, wstr, len, buf, buf_size, NULL, NULL);
-    buf[len] = '\0';
+    if (buf_size) {
+	if (len < buf_size)
+	    buf[len] = '\0';
+	else
+	    buf[len-1] = '\0';
+    }
+
    return buf;
 }