Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#1012 closed defect (fixed)

Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report)

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-1.5.5
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by bennylp)

In unicode_win32.c the pj_ansi_to_unicode function uses MultiByteToWideChar to do character conversion which could result in a buffer overflow.

PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len,
                                    wchar_t *buf, pj_size_t buf_count)
{
    PJ_ASSERT_RETURN(s && buf, NULL);

    len = MultiByteToWideChar(CP_ACP, 0, s, len, buf, buf_count);
    buf[len]=0;
    return buf;
}

Under most circumstances the above won't have a problem however if the value in len and buf_count are the same then doing
"buf[len]=0" is going to overflow the buf buffer.

The same issue also exists in pj_unicode_to_ansi(), and in Symbian port.

Change History (4)

comment:1 Changed 9 years ago by bennylp

  • Description modified (diff)

comment:2 Changed 9 years ago by bennylp

  • Component changed from applications to pjlib

comment:3 Changed 9 years ago by bennylp

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r3047

comment:4 Changed 9 years ago by ismangil

  • Milestone changed from release-1.6 to release-1.5.5
Note: See TracTickets for help on using tickets.