Avoid small read overrun in UTF8 normalization

In krb5int_utf8_normalize(), check the length of the current character against the buffer length before reading more than one byte. Credit to OSS-Fuzz for discovering the overrun. ticket: 9072 (new)
author: Greg Hudson <ghudson@mit.edu> 2022-10-12 00:27:17 -0400
committer: Greg Hudson <ghudson@mit.edu> 2022-11-03 00:57:49 -0400
commit: fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4 (patch)
tree: 2837ca13fc97c78dcf167f7b7398cf5e03d720c6
parent: 30429ade54bfe66f9145a30487e43b19bde76701 (diff)
download: krb5-fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c
index 21030bf25..e3ed9bc64 100644
--- a/src/lib/krb5/unicode/ucstr.c
+++ b/src/lib/krb5/unicode/ucstr.c
@@ -199,6 +199,12 @@ krb5int_utf8_normalize(
 	/* s[i] is non-ascii */
 	/* convert everything up to next ascii to ucs-4 */
 	while (i < len) {
+	    /* KRB5_UTF8_CHARLEN only looks at the first byte; use it to guard
+	     * against small read overruns. */
+	    if (KRB5_UTF8_CHARLEN(s + i) > len - i) {
+		retval = KRB5_ERR_INVALID_UTF8;
+		goto cleanup;
+	    }
 	    clen = KRB5_UTF8_CHARLEN2(s + i, clen);
 	    if (clen == 0) {
 		retval = KRB5_ERR_INVALID_UTF8;
author	Greg Hudson <ghudson@mit.edu>	2022-10-12 00:27:17 -0400
committer	Greg Hudson <ghudson@mit.edu>	2022-11-03 00:57:49 -0400
commit	fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4 (patch)
tree	2837ca13fc97c78dcf167f7b7398cf5e03d720c6
parent	30429ade54bfe66f9145a30487e43b19bde76701 (diff)
download	krb5-fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4.tar.gz