Unix mb_to_wc: add missing bounds checks.

Checking various implementations of these functions against each other, I noticed by eyeball review that some of the special cases in mb_to_wc() never check the buffer limit at all. Yikes! Fortunately, I think there's no vulnerability, because these special cases are ones that write out at most one wide char per multibyte char, and at all the call sites (including dup_mb_to_wc) we allocate that much even for the first attempt. The only exception to that is the call in key_event() in unix/window.c, which uses a fixed-size output buffer, but its input will always be the data generated by an X keystroke event. So that one can only overrun the buffer if an X key event manages to translate into more than 32 wide characters of text - and even if that does come up in some exotic edge case, it will at least not be happening under _enemy_ control.
2025-01-25 01:02:24 +00:00 · 2022-03-12 18:47:27 +00:00 · 2022-03-12 18:47:27 +00:00 · cf41bc0c62
commit cf41bc0c62
parent b360ea6ac1
1 changed files with 4 additions and 0 deletions
--- a/unix/unicode.c
+++ b/unix/unicode.c
@ -31,6 +31,8 @@ int mb_to_wc(int codepage, int flags, const char *mbstr, int mblen,
        memset(&state, 0, sizeof state);

        while (mblen > 0) {
+            if (n >= wclen)
+                return n;
            size_t i = mbrtowc(wcstr+n, mbstr, (size_t)mblen, &state);
            if (i == (size_t)-1 || i == (size_t)-2)
                break;
@ -44,6 +46,8 @@ int mb_to_wc(int codepage, int flags, const char *mbstr, int mblen,
        int n = 0;

        while (mblen > 0) {
+            if (n >= wclen)
+                return n;
            wcstr[n] = 0xD800 | (mbstr[0] & 0xFF);
            n++;
            mbstr++;