| Re: [AD] Patch for rare buffer overflow of do_uconvert with tiny buffer sizes |
[ Thread Index |
Date Index
| More lists.liballeg.org/allegro-developers Archives
]
- To: Allegro developers mailing list <alleg-developers@xxxxxxxxxx>
- Subject: Re: [AD] Patch for rare buffer overflow of do_uconvert with tiny buffer sizes
- From: Grzegorz Adam Hankiewicz <gradha@xxxxxxxxxx>
- Date: Wed, 20 Aug 2003 23:45:20 +0200
On 2003-08-12, Eric Botcazou <ebotcazou@xxxxxxxxxx> wrote:
> The patch is OK for mainline, except the two following minor nits:
> - a double ASSERT on 'size' is overkill. The first one is certainly
> superfluous.
It is not overkill counting as well with a possible integer overflow:
#include <allegro.h>
int main(int argc, char *argv[])
{
char temp[] = "1234567\n";
allegro_init();
do_uconvert("yay", U_ASCII, temp, U_UNICODE, -INT_MAX-1);
allegro_message("(%d)(%d)(%d)(%d)\n",
temp[0], temp[1], temp[2], temp[3]);
return 0;
}
END_OF_MAIN()
Index: src/unicode.c
===================================================================
RCS file: /cvsroot/alleg/allegro/src/unicode.c,v
retrieving revision 1.26
diff -u -r1.26 unicode.c
--- src/unicode.c 15 Aug 2003 10:04:03 -0000 1.26
+++ src/unicode.c 20 Aug 2003 21:43:51 -0000
@@ -659,6 +659,7 @@
int c;
ASSERT(s);
ASSERT(buf);
+ ASSERT(size > 0);
info = _find_utype(type);
if (!info)