diff options
author | Benny Prijono <bennylp@teluu.com> | 2010-01-06 14:35:13 +0000 |
---|---|---|
committer | Benny Prijono <bennylp@teluu.com> | 2010-01-06 14:35:13 +0000 |
commit | cd28819d237420d47de76d040a742ca42117f28a (patch) | |
tree | 335c1c74a0081d3432e820ea777c25089db7d56c | |
parent | 50aba46a7d97ae0d4cad9d5b9374fbbe5210b3f2 (diff) |
Ticket #1012: Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report)
git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@3047 74dad513-b988-da41-8d7b-12977e46ad98
-rw-r--r-- | pjlib/src/pj/unicode_symbian.cpp | 10 | ||||
-rw-r--r-- | pjlib/src/pj/unicode_win32.c | 16 |
2 files changed, 22 insertions, 4 deletions
diff --git a/pjlib/src/pj/unicode_symbian.cpp b/pjlib/src/pj/unicode_symbian.cpp index 20a91a2f..5274c4d4 100644 --- a/pjlib/src/pj/unicode_symbian.cpp +++ b/pjlib/src/pj/unicode_symbian.cpp @@ -38,7 +38,10 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode( const char *str, pj_size_t len, // Error, or there are unconvertable characters *wbuf = 0; } else { - wbuf[len] = 0; + if (len < wbuf_count) + wbuf[len] = 0; + else + wbuf[len-1] = 0; } return wbuf; @@ -61,7 +64,10 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len, // Error, or there are unconvertable characters buf[0] = '\0'; } else { - buf[len] = '\0'; + if (len < buf_size) + buf[len] = '\0'; + else + buf[len-1] = '\0'; } return buf; diff --git a/pjlib/src/pj/unicode_win32.c b/pjlib/src/pj/unicode_win32.c index 4b37dbd1..78ba1354 100644 --- a/pjlib/src/pj/unicode_win32.c +++ b/pjlib/src/pj/unicode_win32.c @@ -30,7 +30,13 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len, len = MultiByteToWideChar(CP_ACP, 0, s, len, buf, buf_count); - buf[len] = 0; + if (buf_count) { + if (len < buf_count) + buf[len] = 0; + else + buf[len-1] = 0; + } + return buf; } @@ -41,7 +47,13 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len, PJ_ASSERT_RETURN(wstr && buf, NULL); len = WideCharToMultiByte(CP_ACP, 0, wstr, len, buf, buf_size, NULL, NULL); - buf[len] = '\0'; + if (buf_size) { + if (len < buf_size) + buf[len] = '\0'; + else + buf[len-1] = '\0'; + } + return buf; } |