| Re: [AD] Patch for rare buffer overflow of do_uconvert with tiny buffer sizes |
[ Thread Index |
Date Index
| More lists.liballeg.org/allegro-developers Archives
]
- To: "Allegro developers mailing list" <alleg-developers@xxxxxxxxxx>
- Subject: Re: [AD] Patch for rare buffer overflow of do_uconvert with tiny buffer sizes
- From: "Eric Botcazou" <ebotcazou@xxxxxxxxxx>
- Date: Thu, 28 Aug 2003 16:21:54 +0200
> It is not overkill counting as well with a possible integer overflow:
>
> #include <allegro.h>
>
> int main(int argc, char *argv[])
> {
> char temp[] = "1234567\n";
> allegro_init();
> do_uconvert("yay", U_ASCII, temp, U_UNICODE, -INT_MAX-1);
> allegro_message("(%d)(%d)(%d)(%d)\n",
> temp[0], temp[1], temp[2], temp[3]);
> return 0;
> }
> END_OF_MAIN()
What I like in this testcase is that it is not artificial at all ;-)
> Index: src/unicode.c
> ===================================================================
> RCS file: /cvsroot/alleg/allegro/src/unicode.c,v
> retrieving revision 1.26
> diff -u -r1.26 unicode.c
> --- src/unicode.c 15 Aug 2003 10:04:03 -0000 1.26
> +++ src/unicode.c 20 Aug 2003 21:43:51 -0000
> @@ -659,6 +659,7 @@
> int c;
> ASSERT(s);
> ASSERT(buf);
> + ASSERT(size > 0);
>
> info = _find_utype(type);
> if (!info)
I guess this is eventually ok.
--
Eric Botcazou