a32693b89a
Signed-off-by: xuraoqing <xuraoqing@huawei.com> (cherry picked from commit cdebdebb304a2493ca63fed39967ce1dd207634d)
38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
From fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4 Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Wed, 12 Oct 2022 00:27:17 -0400
|
|
Subject: [PATCH] Avoid small read overrun in UTF8 normalization
|
|
|
|
In krb5int_utf8_normalize(), check the length of the current character
|
|
against the buffer length before reading more than one byte. Credit
|
|
to OSS-Fuzz for discovering the overrun.
|
|
|
|
ticket: 9072 (new)
|
|
|
|
Reference: https://github.com/krb5/krb5/commit/fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4
|
|
Conflict: NA
|
|
---
|
|
src/lib/krb5/unicode/ucstr.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c
|
|
index 21030bf25..e3ed9bc64 100644
|
|
--- a/src/lib/krb5/unicode/ucstr.c
|
|
+++ b/src/lib/krb5/unicode/ucstr.c
|
|
@@ -199,6 +199,12 @@ krb5int_utf8_normalize(
|
|
/* s[i] is non-ascii */
|
|
/* convert everything up to next ascii to ucs-4 */
|
|
while (i < len) {
|
|
+ /* KRB5_UTF8_CHARLEN only looks at the first byte; use it to guard
|
|
+ * against small read overruns. */
|
|
+ if (KRB5_UTF8_CHARLEN(s + i) > len - i) {
|
|
+ retval = KRB5_ERR_INVALID_UTF8;
|
|
+ goto cleanup;
|
|
+ }
|
|
clen = KRB5_UTF8_CHARLEN2(s + i, clen);
|
|
if (clen == 0) {
|
|
retval = KRB5_ERR_INVALID_UTF8;
|
|
--
|
|
2.27.0
|
|
|