CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
authorDouglas Bagnall <douglas.bagnall@catalyst.net.nz>
Tue, 24 Nov 2015 00:49:09 +0000 (13:49 +1300)
committerRalph Boehme <slow@samba.org>
Wed, 9 Dec 2015 16:17:05 +0000 (17:17 +0100)
When a codepoint eats more than one byte we really want to know,
especially if the string is not NUL terminated.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
lib/util/charset/util_unistr.c

index f2992695f65e78a1c2fbbe96d0f63b1593ee912d..2cc87186daecbb3c421f1cef37b43d2a66e41cca 100644 (file)
@@ -110,11 +110,12 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle,
                return NULL;
        }
 
                return NULL;
        }
 
-       while (n-- && *src) {
+       while (n && *src) {
                size_t c_size;
                codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
                                                          CH_UNIX, &c_size);
                src += c_size;
                size_t c_size;
                codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
                                                          CH_UNIX, &c_size);
                src += c_size;
+               n -= c_size;
 
                c = toupper_m(c);
 
 
                c = toupper_m(c);