Ticket #1012 (closed defect: fixed)

Opened 9 years ago

Last modified 9 years ago

Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report)

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-1.5.5
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by bennylp) (diff)

In unicode_win32.c the pj_ansi_to_unicode function uses MultiByteToWideChar to do character conversion which could result in a buffer overflow.

PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len,
                                    wchar_t *buf, pj_size_t buf_count)
    PJ_ASSERT_RETURN(s && buf, NULL);

    len = MultiByteToWideChar(CP_ACP, 0, s, len, buf, buf_count);
    return buf;

Under most circumstances the above won't have a problem however if the value in len and buf_count are the same then doing "buf[len]=0" is going to overflow the buf buffer.

The same issue also exists in pj_unicode_to_ansi(), and in Symbian port.

Change History

comment:1 Changed 9 years ago by bennylp

  • Description modified (diff)

comment:2 Changed 9 years ago by bennylp

  • Component changed from applications to pjlib

comment:3 Changed 9 years ago by bennylp

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in r3047

comment:4 Changed 9 years ago by ismangil

  • Milestone changed from release-1.6 to release-1.5.5
Note: See TracTickets for help on using tickets.