ICU-6165 Prevent a reading past the end of a buffer.

X-SVN-Rev: 23340
2025-04-13 08:53:20 +00:00 · 2008-02-01 07:08:13 +00:00 · 2008-02-01 07:08:13 +00:00 · d170952252
commit d170952252
parent 0cd1f0abc8
2 changed files with 61 additions and 13 deletions
--- a/icu4c/source/i18n/csr2022.cpp
+++ b/icu4c/source/i18n/csr2022.cpp
@ -1,6 +1,6 @@
 /*
 **********************************************************************
- *   Copyright (C) 2005-2006, International Business Machines
+ *   Copyright (C) 2005-2008, International Business Machines
 *   Corporation and others.  All Rights Reserved.
 **********************************************************************
 */
@ -43,21 +43,24 @@ int32_t CharsetRecog_2022::match_2022(const uint8_t *text, int32_t textLen, cons
        if(text[i] == 0x1B) {
            escN = 0;
            while(escN < escapeSequences_length) {
-                int32_t seq_length = uprv_strlen((const char *) escapeSequences[escN]);
                const uint8_t *seq = escapeSequences[escN];
+                int32_t seq_length = uprv_strlen((const char *) seq);

-                j = 1;
-                while(j < seq_length) {
-                    if(seq[j] != text[i+j]) {
-                        goto checkEscapes;
+                if (textLen-i >= seq_length) {
+                    j = 1;
+                    while(j < seq_length) {
+                        if(seq[j] != text[i+j]) {
+                            goto checkEscapes;
+                        }
+
+                        j += 1;
                    }

-                    j += 1;
+                    hits += 1;
+                    i += seq_length-1;
+                    goto scanInput;
                }
-
-                hits += 1;
-                i += seq_length-1;
-                goto scanInput;
+                // else we ran out of string to compare this time.
 checkEscapes:
                escN += 1;
            }
--- a/icu4c/source/test/cintltst/ucsdetst.c
+++ b/icu4c/source/test/cintltst/ucsdetst.c
@ -1,6 +1,6 @@
 /*
 ****************************************************************************
- * Copyright (c) 2005-2006, International Business Machines Corporation and *
+ * Copyright (c) 2005-2008, International Business Machines Corporation and *
 * others. All Rights Reserved.                                             *
 ****************************************************************************
 */
@ -16,7 +16,7 @@
 #include <stdlib.h>
 #include <string.h>

-#define ARRAY_SIZE(array) (sizeof array / sizeof array[0])
+#define ARRAY_SIZE(array) (sizeof(array)/sizeof(array[0]))

 #define NEW_ARRAY(type,count) (type *) malloc((count) * sizeof(type))
 #define DELETE_ARRAY(array) free(array)
@ -27,6 +27,7 @@ static void TestUTF16(void);
 static void TestC1Bytes(void);
 static void TestInputFilter(void);
 static void TestChaining(void);
+static void TestBufferOverflow(void);

 void addUCsdetTest(TestNode** root);

@ -38,6 +39,7 @@ void addUCsdetTest(TestNode** root)
    addTest(root, &TestC1Bytes, "ucsdetst/TestC1Bytes");
    addTest(root, &TestInputFilter, "ucsdetst/TestInputFilter");
    addTest(root, &TestChaining, "ucsdetst/TestErrorChaining");
+    addTest(root, &TestBufferOverflow, "ucsdetst/TestBufferOverflow");
 }

 static int32_t preflight(const UChar *src, int32_t length, UConverter *cnv)
@ -353,3 +355,46 @@ static void TestChaining(void) {
        log_err("Status got changed to %s\n", u_errorName(status));
    }
 }
+
+static void TestBufferOverflow(void) {
+    UErrorCode status = U_ZERO_ERROR;
+    static const char *testStrings[] = {
+        "\x80 This is English \x1b", /* A partial ISO-2022 shift state at the end */
+        "\x80 This is English \x1b\x24", /* A partial ISO-2022 shift state at the end */
+        "\x80 This is English \x1b\x24\x28", /* A partial ISO-2022 shift state at the end */
+        "\x80 This is English \x1b\x24\x28\x44", /* A complete ISO-2022 shift state at the end with a bad one at the start */
+        "\x1b\x24\x28\x44" /* A complete ISO-2022 shift state at the end */
+    };
+    static const char *testResults[] = {
+        "windows-1252",
+        "windows-1252",
+        "windows-1252",
+        "windows-1252",
+        "ISO-2022-JP"
+    };
+    int32_t idx = 0;
+    UCharsetDetector *csd = ucsdet_open(&status);
+    const UCharsetMatch *match;
+
+    ucsdet_setDeclaredEncoding(csd, "ISO-2022-JP", -1, &status);
+
+    if (U_FAILURE(status)) {
+        log_err("Couldn't open detector. %s\n", u_errorName(status));
+        goto bail;
+    }
+
+    for (idx = 0; idx < ARRAY_SIZE(testStrings); idx++) {
+        ucsdet_setText(csd, testStrings[idx], -1, &status);
+        match = ucsdet_detect(csd, &status);
+
+        if (strcmp(ucsdet_getName(match, &status), testResults[idx]) != 0) {
+            log_err("Unexpectedly got %s instead of %s at index %d with confidence %d.\n",
+                ucsdet_getName(match, &status), testResults[idx], idx, ucsdet_getConfidence(match, &status));
+            goto bail;
+        }
+    }
+
+bail:
+    ucsdet_close(csd);
+}
+