diff options
author | Greg Hudson <ghudson@mit.edu> | 2022-10-12 00:27:17 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2022-11-03 00:57:49 -0400 |
commit | fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4 (patch) | |
tree | 2837ca13fc97c78dcf167f7b7398cf5e03d720c6 | |
parent | 30429ade54bfe66f9145a30487e43b19bde76701 (diff) | |
download | krb5-fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4.zip krb5-fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4.tar.gz krb5-fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4.tar.bz2 |
Avoid small read overrun in UTF8 normalization
In krb5int_utf8_normalize(), check the length of the current character
against the buffer length before reading more than one byte. Credit
to OSS-Fuzz for discovering the overrun.
ticket: 9072 (new)
-rw-r--r-- | src/lib/krb5/unicode/ucstr.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c index 21030bf..e3ed9bc 100644 --- a/src/lib/krb5/unicode/ucstr.c +++ b/src/lib/krb5/unicode/ucstr.c @@ -199,6 +199,12 @@ krb5int_utf8_normalize( /* s[i] is non-ascii */ /* convert everything up to next ascii to ucs-4 */ while (i < len) { + /* KRB5_UTF8_CHARLEN only looks at the first byte; use it to guard + * against small read overruns. */ + if (KRB5_UTF8_CHARLEN(s + i) > len - i) { + retval = KRB5_ERR_INVALID_UTF8; + goto cleanup; + } clen = KRB5_UTF8_CHARLEN2(s + i, clen); if (clen == 0) { retval = KRB5_ERR_INVALID_UTF8; |