[31173] in CVS-changelog-for-Kerberos-V5
krb5 commit: Avoid small read overrun in UTF8 normalization
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Tue Nov 15 11:31:23 2022
From: ghudson@mit.edu
To: <cvs-krb5@mit.edu>
Message-ID: <20221115162957.AF69B102FB9@krbdev.mit.edu>
Date: Tue, 15 Nov 2022 11:29:57 -0500 (EST)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4
commit fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Oct 12 00:27:17 2022 -0400
Avoid small read overrun in UTF8 normalization
In krb5int_utf8_normalize(), check the length of the current character
against the buffer length before reading more than one byte. Credit
to OSS-Fuzz for discovering the overrun.
ticket: 9072 (new)
src/lib/krb5/unicode/ucstr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c
index 21030bf25..e3ed9bc64 100644
--- a/src/lib/krb5/unicode/ucstr.c
+++ b/src/lib/krb5/unicode/ucstr.c
@@ -199,6 +199,12 @@ krb5int_utf8_normalize(
/* s[i] is non-ascii */
/* convert everything up to next ascii to ucs-4 */
while (i < len) {
+ /* KRB5_UTF8_CHARLEN only looks at the first byte; use it to guard
+ * against small read overruns. */
+ if (KRB5_UTF8_CHARLEN(s + i) > len - i) {
+ retval = KRB5_ERR_INVALID_UTF8;
+ goto cleanup;
+ }
clen = KRB5_UTF8_CHARLEN2(s + i, clen);
if (clen == 0) {
retval = KRB5_ERR_INVALID_UTF8;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
