Skip to content

Commit 1c449a3

Browse files
committed
add some boundary checks on gf_text_get_utf8_line (#1188)
1 parent 35ab447 commit 1c449a3

File tree

2 files changed

+53
-26
lines changed

2 files changed

+53
-26
lines changed

Diff for: applications/mp4client/main.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -1715,7 +1715,7 @@ int mp4client_main(int argc, char **argv)
17151715
e = gf_dm_sess_process(sess);
17161716
if (!e) {
17171717
strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
1718-
the_url[sizeof(the_cfg) - 1] = 0;
1718+
the_url[sizeof(the_url) - 1] = 0;
17191719
}
17201720
gf_dm_sess_del(sess);
17211721
}

Diff for: src/media_tools/text_import.c

+52-25
Original file line numberDiff line numberDiff line change
@@ -205,49 +205,76 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod
205205
if (unicode_type<=1) {
206206
j=0;
207207
len = (u32) strlen(szLine);
208-
for (i=0; i<len; i++) {
208+
for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) {
209+
209210
if (!unicode_type && (szLine[i] & 0x80)) {
210211
/*non UTF8 (likely some win-CP)*/
211212
if ((szLine[i+1] & 0xc0) != 0x80) {
212-
szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 );
213-
j++;
214-
szLine[i] &= 0xbf;
213+
if (j + 1 < sizeof(szLineConv) - 1) {
214+
szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3);
215+
j++;
216+
szLine[i] &= 0xbf;
217+
}
218+
else
219+
break;
215220
}
216221
/*UTF8 2 bytes char*/
217222
else if ( (szLine[i] & 0xe0) == 0xc0) {
218-
szLineConv[j] = szLine[i];
219-
i++;
220-
j++;
223+
224+
// don't cut multibyte in the middle in there is no more room in dest
225+
if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) {
226+
szLineConv[j] = szLine[i];
227+
i++;
228+
j++;
229+
}
230+
else {
231+
break;
232+
}
221233
}
222234
/*UTF8 3 bytes char*/
223235
else if ( (szLine[i] & 0xf0) == 0xe0) {
224-
szLineConv[j] = szLine[i];
225-
i++;
226-
j++;
227-
szLineConv[j] = szLine[i];
228-
i++;
229-
j++;
236+
if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) {
237+
szLineConv[j] = szLine[i];
238+
i++;
239+
j++;
240+
szLineConv[j] = szLine[i];
241+
i++;
242+
j++;
243+
}
244+
else {
245+
break;
246+
}
230247
}
231248
/*UTF8 4 bytes char*/
232249
else if ( (szLine[i] & 0xf8) == 0xf0) {
233-
szLineConv[j] = szLine[i];
234-
i++;
235-
j++;
236-
szLineConv[j] = szLine[i];
237-
i++;
238-
j++;
239-
szLineConv[j] = szLine[i];
240-
i++;
241-
j++;
250+
if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) {
251+
szLineConv[j] = szLine[i];
252+
i++;
253+
j++;
254+
szLineConv[j] = szLine[i];
255+
i++;
256+
j++;
257+
szLineConv[j] = szLine[i];
258+
i++;
259+
j++;
260+
}
261+
else {
262+
break;
263+
}
242264
} else {
243265
i+=1;
244266
continue;
245267
}
246268
}
247-
szLineConv[j] = szLine[i];
248-
j++;
269+
if (j < sizeof(szLineConv)-1 && i<len)
270+
szLineConv[j] = szLine[i];
271+
249272
}
250-
szLineConv[j] = 0;
273+
if (j >= sizeof(szLineConv))
274+
szLineConv[sizeof(szLineConv) - 1] = 0;
275+
else
276+
szLineConv[j] = 0;
277+
251278
strcpy(szLine, szLineConv);
252279
return sOK;
253280
}

0 commit comments

Comments
 (0)