首页 发现 帮助
登录
hongwenjun
/
musl
镜像自地址 https://git.musl-libc.org/git/musl
1
0
派生 0
文件 工单管理 0 Wiki
浏览代码

fix buffer overflow in mbsrtowcs

issue reported by Michael Forney:

"If wn becomes 0 after processing a chunk of 4, mbsrtowcs currently
continues on, wrapping wn around to -1, causing the rest of the string
to be processed.

This resulted in buffer overruns if there was only space in ws for wn
wide characters."

the original patch submitted added an additional check for !wn after
the loop; to avoid extra branching, I instead just changed the wn>=4
check to wn>=5 to ensure that at least one slot remains after the
word-at-a-time loop runs. this should not slow down the tail
processing on real-world usage, since an extra slot that can't be
processed in the word-at-a-time loop is needed for the null
termination anyway.
Rich Felker 11 年之前
父节点
e1f1df9c74
当前提交
211264e46a
共有 1 个文件被更改,包括 1 次插入1 次删除
分列视图 显示文件统计
  1. 1 1
      src/multibyte/mbsrtowcs.c

+ 1 - 1
src/multibyte/mbsrtowcs.c
查看文件 

@@ -59,7 +59,7 @@ resume0:
 
 			return wn0;
 
 		}
 
 		if (*s-1u < 0x7f && (uintptr_t)s%4 == 0) {
 
-			while (wn>=4 && !(( *(uint32_t*)s | *(uint32_t*)s-0x01010101) & 0x80808080)) {
 
+			while (wn>=5 && !(( *(uint32_t*)s | *(uint32_t*)s-0x01010101) & 0x80808080)) {
 
 				*ws++ = *s++;
 
 				*ws++ = *s++;
 
 				*ws++ = *s++;