Skip to content
Snippets Groups Projects
Commit c17624db authored by Adam Vartanian's avatar Adam Vartanian
Browse files

Fix integer overflow in utf{16,32}_to_utf8_length 

Without an explicit check, the return value can wrap around and return
a value that is far too small to hold the data from the resulting
conversion.

No SafetyNet logging is included because when included aapt fails to
link in lmp-mr1-dev.

No CTS test is provided because it would need to allocate at least
SSIZE_MAX / 2 bytes of UTF-16 data, which is unreasonable on 64-bit
devices.

Bug: 37723026
Test: run cts -p android.security
Change-Id: Ice276dc3a5b62ad389b2e9b8caf670c76b7e5218
Merged-In: Ie2606b92b9eab1acfe8ce4663b43b81156a4cad7
parent 6fdfd58f
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 19 additions and 3 deletions
libutils/Unicode.cpp
+ 19
3
View file @ c17624db
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
#include <utils/Unicode.h> #include <utils/Unicode.h>
#include <stddef.h> #include <stddef.h>
#include <limits.h>
#ifdef HAVE_WINSOCK #ifdef HAVE_WINSOCK
# undef nhtol # undef nhtol
...@@ -184,7 +185,14 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len) ...@@ -184,7 +185,14 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len)
size_t ret = 0; size_t ret = 0;
const char32_t *end = src + src_len; const char32_t *end = src + src_len;
while (src < end) { while (src < end) {
ret += utf32_codepoint_utf8_length(*src++); size_t char_len = utf32_codepoint_utf8_length(*src++);
if (SSIZE_MAX - char_len < ret) {
// If this happens, we would overflow the ssize_t type when
// returning from this function, so we cannot express how
// long this string is in an ssize_t.
return -1;
}
ret += char_len;
} }
return ret; return ret;
} }
...@@ -420,14 +428,22 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) ...@@ -420,14 +428,22 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
size_t ret = 0; size_t ret = 0;
const char16_t* const end = src + src_len; const char16_t* const end = src + src_len;
while (src < end) { while (src < end) {
size_t char_len;
if ((*src & 0xFC00) == 0xD800 && (src + 1) < end if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
&& (*(src + 1) & 0xFC00) == 0xDC00) { && (*(src + 1) & 0xFC00) == 0xDC00) {
// surrogate pairs are always 4 bytes. // surrogate pairs are always 4 bytes.
ret += 4; char_len = 4;
src += 2; src += 2;
} else { } else {
ret += utf32_codepoint_utf8_length((char32_t) *src++); char_len = utf32_codepoint_utf8_length((char32_t)*src++);
}
if (SSIZE_MAX - char_len < ret) {
// If this happens, we would overflow the ssize_t type when
// returning from this function, so we cannot express how
// long this string is in an ssize_t.
return -1;
} }
ret += char_len;
} }
return ret; return ret;
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment