diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2015-11-24 13:49:09 +1300 |
---|---|---|
committer | Ralph Boehme <slow@samba.org> | 2015-12-09 17:17:05 +0100 |
commit | a561ae6294fa926bf3a15b9aaf3d18d25d5e971f (patch) | |
tree | a59aa31b2b16fe1de4a06850a48949d5f49afc77 | |
parent | 5f3c7541c2f10ac2174538288f6569af587d69f0 (diff) | |
download | samba-a561ae6294fa926bf3a15b9aaf3d18d25d5e971f.tar.gz |
CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
When a codepoint eats more than one byte we really want to know,
especially if the string is not NUL terminated.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
-rw-r--r-- | lib/util/charset/util_unistr.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c index f2992695f65..2cc87186dae 100644 --- a/lib/util/charset/util_unistr.c +++ b/lib/util/charset/util_unistr.c @@ -110,11 +110,12 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle, return NULL; } - while (n-- && *src) { + while (n && *src) { size_t c_size; codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n, CH_UNIX, &c_size); src += c_size; + n -= c_size; c = toupper_m(c); |