Ticket #1012: Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report)

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@3047 74dad513-b988-da41-8d7b-12977e46ad98

2 files changed, 22 insertions, 4 deletions

diff --git a/pjlib/src/pj/unicode_symbian.cpp b/pjlib/src/pj/unicode_symbian.cpp
index 20a91a2f..5274c4d4 100644
--- a/pjlib/src/pj/unicode_symbian.cpp
+++ b/pjlib/src/pj/unicode_symbian.cpp
@@ -38,7 +38,10 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode( const char *str, pj_size_t len,
 	// Error, or there are unconvertable characters
 	*wbuf = 0;
     } else {
-	wbuf[len] = 0;
+	if (len < wbuf_count)
+	    wbuf[len] = 0;
+	else
+	    wbuf[len-1] = 0;
     }
 
     return wbuf;
@@ -61,7 +64,10 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len,
 	// Error, or there are unconvertable characters
 	buf[0] = '\0';
     } else {
-	buf[len] = '\0';
+	if (len < buf_size)
+	    buf[len] = '\0';
+	else
+	    buf[len-1] = '\0';
     }
 
     return buf;
diff --git a/pjlib/src/pj/unicode_win32.c b/pjlib/src/pj/unicode_win32.c
index 4b37dbd1..78ba1354 100644
--- a/pjlib/src/pj/unicode_win32.c
+++ b/pjlib/src/pj/unicode_win32.c
@@ -30,7 +30,13 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len,
 
     len = MultiByteToWideChar(CP_ACP, 0, s, len, 
 			      buf, buf_count);
-    buf[len] = 0;
+    if (buf_count) {
+	if (len < buf_count)
+	    buf[len] = 0;
+	else
+	    buf[len-1] = 0;
+    }
+
     return buf;
 }
 
@@ -41,7 +47,13 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len,
     PJ_ASSERT_RETURN(wstr && buf, NULL);
 
     len = WideCharToMultiByte(CP_ACP, 0, wstr, len, buf, buf_size, NULL, NULL);
-    buf[len] = '\0';
+    if (buf_size) {
+	if (len < buf_size)
+	    buf[len] = '\0';
+	else
+	    buf[len-1] = '\0';
+    }
+
     return buf;
 }