From a561ae6294fa926bf3a15b9aaf3d18d25d5e971f Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 24 Nov 2015 13:49:09 +1300
Subject: CVE-2015-5330: strupper_talloc_n_handle(): properly count characters

When a codepoint eats more than one byte we really want to know,
especially if the string is not NUL terminated.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 lib/util/charset/util_unistr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c
index f2992695f65..2cc87186dae 100644
--- a/lib/util/charset/util_unistr.c
+++ b/lib/util/charset/util_unistr.c
@@ -110,11 +110,12 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle,
 		return NULL;
 	}
 
-	while (n-- && *src) {
+	while (n && *src) {
 		size_t c_size;
 		codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
 							  CH_UNIX, &c_size);
 		src += c_size;
+		n -= c_size;
 
 		c = toupper_m(c);
 
-- 
cgit v1.2.1