From cd28819d237420d47de76d040a742ca42117f28a Mon Sep 17 00:00:00 2001
From: Benny Prijono <bennylp@teluu.com>
Date: Wed, 6 Jan 2010 14:35:13 +0000
Subject: Ticket #1012: Potential buffer overflow in Unicode string conversion
 (thanks Orville Pike for the report)

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@3047 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjlib/src/pj/unicode_symbian.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'pjlib/src/pj/unicode_symbian.cpp')

diff --git a/pjlib/src/pj/unicode_symbian.cpp b/pjlib/src/pj/unicode_symbian.cpp
index 20a91a2f..5274c4d4 100644
--- a/pjlib/src/pj/unicode_symbian.cpp
+++ b/pjlib/src/pj/unicode_symbian.cpp
@@ -38,7 +38,10 @@ PJ_DEF(wchar_t*) pj_ansi_to_unicode( const char *str, pj_size_t len,
 	// Error, or there are unconvertable characters
 	*wbuf = 0;
     } else {
-	wbuf[len] = 0;
+	if (len < wbuf_count)
+	    wbuf[len] = 0;
+	else
+	    wbuf[len-1] = 0;
     }
 
     return wbuf;
@@ -61,7 +64,10 @@ PJ_DEF(char*) pj_unicode_to_ansi( const wchar_t *wstr, pj_size_t len,
 	// Error, or there are unconvertable characters
 	buf[0] = '\0';
     } else {
-	buf[len] = '\0';
+	if (len < buf_size)
+	    buf[len] = '\0';
+	else
+	    buf[len-1] = '\0';
     }
 
     return buf;
-- 
cgit v1.2.3