![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 15 years ago
Last modified 15 years ago
#1012 closed defect
Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report) — at Initial Version
| Reported by: | bennylp | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-1.5.5 |
| Component: | pjlib | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: |
Description
In unicode_win32.c the pj_ansi_to_unicode function uses MultiByteToWideChar to do character conversion which could result in a buffer overflow.
PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len, wchar_t *buf, pj_size_t buf_count)
{
PJ_ASSERT_RETURN(s && buf, NULL);
len = MultiByteToWideChar(CP_ACP, 0, s, len, buf, buf_count);
buf[len]=0;
return buf;
}
Under most circumstances the above won't have a problem however if the value in len and buf_count are the same then doing
"buf[len]=0" is going to overflow the buf buffer.
The same issue also exists in pj_unicode_to_ansi(), and in Symbian port.
Note: See
TracTickets for help on using
tickets.
