diff options
author | Edwin Mons <edwin.mons@isode.com> | 2018-10-24 13:37:33 (GMT) |
---|---|---|
committer | Edwin Mons <edwin.mons@isode.com> | 2018-10-24 16:15:21 (GMT) |
commit | 1c71c5a77e037038c581a68774c96fad9a79030b (patch) | |
tree | 3ee82bd0d84aa1d4c33d69948ca10952bda9cd35 /Swiften/IDN/LibIDNConverter.cpp | |
parent | 0f4a77303fedfaa57977d6ca528799305eac9367 (diff) | |
download | swift-1c71c5a77e037038c581a68774c96fad9a79030b.zip swift-1c71c5a77e037038c581a68774c96fad9a79030b.tar.bz2 |
Fix buffer overrun in LibIDNConverter
When Swift::LibIDNConverter::getStringPrepared was called with an input
of 1024 or more characters, stringprep would be called on a memory
region that wasn't NUL-terminated. It also blindly trimmed the input to
1024 bytes, even though there may be input longer than that that still
results in a valid 1023 byte prepped string.
IDNConverterTest has been converted to gtest, as cppunit cannot deal
with testing for std::exceptions being thrown on at least macOS
Test-Information:
Unit tests pass on macOS 10.13 and Debian 9
Before fix, the newly added unit tests triggered an ASan abort due to a
buffer overrun.
After fix, all unit tests pass, even with ASan enabled.
Change-Id: Ia3e51a39f5db1de32b8f8bb388f81ca041136df7
Diffstat (limited to 'Swiften/IDN/LibIDNConverter.cpp')
-rw-r--r-- | Swiften/IDN/LibIDNConverter.cpp | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/Swiften/IDN/LibIDNConverter.cpp b/Swiften/IDN/LibIDNConverter.cpp index 0c01352..2325015 100644 --- a/Swiften/IDN/LibIDNConverter.cpp +++ b/Swiften/IDN/LibIDNConverter.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2016 Isode Limited. + * Copyright (c) 2012-2018 Isode Limited. * All rights reserved. * See the COPYING file for more information. */ @@ -24,7 +24,7 @@ extern "C" { using namespace Swift; namespace { - static const int MAX_STRINGPREP_SIZE = 1024; + static const size_t MAX_STRINGPREP_SIZE = 1024; const Stringprep_profile* getLibIDNProfile(IDNConverter::StringPrepProfile profile) { switch(profile) { @@ -44,7 +44,8 @@ namespace { return ContainerType(); } - input.resize(MAX_STRINGPREP_SIZE); + // Ensure we have enough space for stringprepping, and that input is always NUL terminated + input.resize(std::max(MAX_STRINGPREP_SIZE, input.size() + 1)); if (stringprep(&input[0], MAX_STRINGPREP_SIZE, static_cast<Stringprep_profile_flags>(0), getLibIDNProfile(profile)) == 0) { return input; } |