[29191] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.12]: Fix minor utf8-to-ucs2s read overrun bug
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Dec 10 18:14:45 2015
Date: Thu, 10 Dec 2015 18:14:41 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201512102314.tBANEfhL003376@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/fdbac6f2bbbe4673359760f2170770aa93044882
commit fdbac6f2bbbe4673359760f2170770aa93044882
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Sep 25 17:31:53 2015 -0400
Fix minor utf8-to-ucs2s read overrun bug
k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input
string before terminating its loop, possibly overrunning the input
buffer of its caller. This overrun is typically without consequence,
but can show up in tools like asan or valgrind during RC4
string-to-key operations. Fix the bug by swapping the order of the
loop conditions.
(cherry picked from commit eb52da21d72faa3d00b1205a5a0fdbabc45c9e6d)
ticket: 8321 (new)
version_fixed: 1.12.5
status: resolved
src/util/support/utf8_conv.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/util/support/utf8_conv.c b/src/util/support/utf8_conv.c
index b8bf989..8fa2ce0 100644
--- a/src/util/support/utf8_conv.c
+++ b/src/util/support/utf8_conv.c
@@ -85,7 +85,7 @@ k5_utf8s_to_ucs2s(krb5_ucs2 *ucs2str,
}
/* Examine next UTF-8 character. */
- while (*utf8str && ucs2len < count) {
+ while (ucs2len < count && *utf8str != '\0') {
/* Get UTF-8 sequence length from 1st byte */
utflen = KRB5_UTF8_CHARLEN2(utf8str, utflen);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
