[glib/glib-2-58: 18/21] gmarkup: Avoid reading off the end of a buffer when non-nul-terminated

From: Philip Withnall <pwithnall src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib/glib-2-58: 18/21] gmarkup: Avoid reading off the end of a buffer when non-nul-terminated
Date: Tue, 6 Nov 2018 13:11:20 +0000 (UTC)
commit 8cfe53f081f8147cd3c36aebf64c635e04d3ab09
Author: Philip Withnall <withnall endlessm com>
Date:   Fri Oct 26 23:06:37 2018 +1300

    gmarkup: Avoid reading off the end of a buffer when non-nul-terminated
    
    When extracting a UTF-8 character to put in an error message on parse
    failure, pass the remaining buffer length to utf8_str() to avoid it
    running off the end of the input buffer. It previously assumed that the
    buffer was nul-terminated, which was the case in all the tests until
    now.
    
    A following commit will add test coverage for this.
    
    Signed-off-by: Philip Withnall <withnall endlessm com>

 glib/gmarkup.c | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)
---
diff --git a/glib/gmarkup.c b/glib/gmarkup.c
index bcb91c0a4..f97a2c7c4 100644
--- a/glib/gmarkup.c
+++ b/glib/gmarkup.c
@@ -563,12 +563,14 @@ char_str (gunichar c,
  * emitting it as hex escapes. */
 static gchar*
 utf8_str (const gchar *utf8,
+          gsize        max_len,
           gchar       *buf)
 {
-  gunichar c = g_utf8_get_char_validated (utf8, -1);
+  gunichar c = g_utf8_get_char_validated (utf8, max_len);
   if (c == (gunichar) -1 || c == (gunichar) -2)
     {
-      gchar *temp = g_strdup_printf ("\\x%02x", (guint)(guchar)*utf8);
+      guchar ch = (max_len > 0) ? (guchar) *utf8 : 0;
+      gchar *temp = g_strdup_printf ("\\x%02x", (guint) ch);
       memset (buf, 0, 8);
       memcpy (buf, temp, strlen (temp));
       g_free (temp);
@@ -1223,7 +1225,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                          _("“%s” is not a valid character following "
                            "a “<” character; it may not begin an "
                            "element name"),
-                         utf8_str (context->iter, buf));
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf));
             }
           break;
 
@@ -1264,7 +1267,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                          G_MARKUP_ERROR_PARSE,
                          _("Odd character “%s”, expected a “>” character "
                            "to end the empty-element tag “%s”"),
-                         utf8_str (context->iter, buf),
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf),
                          current_element (context));
             }
           break;
@@ -1345,7 +1349,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                              G_MARKUP_ERROR_PARSE,
                              _("Odd character “%s”, expected a “=” after "
                                "attribute name “%s” of element “%s”"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              current_attribute (context),
                              current_element (context));
 
@@ -1389,7 +1394,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                                "element “%s”, or optionally an attribute; "
                                "perhaps you used an invalid character in "
                                "an attribute name"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              current_element (context));
                 }
 
@@ -1431,7 +1437,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                              _("Odd character “%s”, expected an open quote mark "
                                "after the equals sign when giving value for "
                                "attribute “%s” of element “%s”"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              current_attribute (context),
                              current_element (context));
                 }
@@ -1564,8 +1571,10 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                          _("“%s” is not a valid character following "
                            "the characters “</”; “%s” may not begin an "
                            "element name"),
-                         utf8_str (context->iter, buf),
-                         utf8_str (context->iter, buf));
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf),
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf));
             }
           break;
 
@@ -1600,7 +1609,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                              _("“%s” is not a valid character following "
                                "the close element name “%s”; the allowed "
                                "character is “>”"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              close_name->str);
                 }
               else if (context->tag_stack == NULL)
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]