![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
#1012 closed defect (fixed)
Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report)
| Reported by: | bennylp | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-1.5.5 |
| Component: | pjlib | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: |
Description (last modified by bennylp)
In unicode_win32.c the pj_ansi_to_unicode function uses MultiByteToWideChar to do character conversion which could result in a buffer overflow.
PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len,
wchar_t *buf, pj_size_t buf_count)
{
PJ_ASSERT_RETURN(s && buf, NULL);
len = MultiByteToWideChar(CP_ACP, 0, s, len, buf, buf_count);
buf[len]=0;
return buf;
}
Under most circumstances the above won't have a problem however if the value in len and buf_count are the same then doing
"buf[len]=0" is going to overflow the buf buffer.
The same issue also exists in pj_unicode_to_ansi(), and in Symbian port.
Change History (4)
comment:1 Changed 15 years ago by bennylp
- Description modified (diff)
comment:2 Changed 15 years ago by bennylp
- Component changed from applications to pjlib
comment:3 Changed 15 years ago by bennylp
- Resolution set to fixed
- Status changed from new to closed
comment:4 Changed 15 years ago by ismangil
- Milestone changed from release-1.6 to release-1.5.5
Note: See
TracTickets for help on using
tickets.
Fixed in r3047