[glib: 3/6] gmarkup: Avoid reading off the end of a buffer when non-nul-terminated

From: Philip Withnall <pwithnall src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib: 3/6] gmarkup: Avoid reading off the end of a buffer when non-nul-terminated
Date: Mon, 29 Oct 2018 22:03:33 +0000 (UTC)
commit 3a961236dda9b1808a569d80e64a56014fb7d941
Author: Philip Withnall <withnall endlessm com>
Date:   Fri Oct 26 23:06:37 2018 +1300

    gmarkup: Avoid reading off the end of a buffer when non-nul-terminated
    
    When extracting a UTF-8 character to put in an error message on parse
    failure, pass the remaining buffer length to utf8_str() to avoid it
    running off the end of the input buffer. It previously assumed that the
    buffer was nul-terminated, which was the case in all the tests until
    now.
    
    A following commit will add test coverage for this.
    
    Signed-off-by: Philip Withnall <withnall endlessm com>

 glib/gmarkup.c | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)
---
diff --git a/glib/gmarkup.c b/glib/gmarkup.c
index 9b15b1281..f85c00ab4 100644
--- a/glib/gmarkup.c
+++ b/glib/gmarkup.c
@@ -562,12 +562,14 @@ char_str (gunichar c,
  * emitting it as hex escapes. */
 static gchar*
 utf8_str (const gchar *utf8,
+          gsize        max_len,
           gchar       *buf)
 {
-  gunichar c = g_utf8_get_char_validated (utf8, -1);
+  gunichar c = g_utf8_get_char_validated (utf8, max_len);
   if (c == (gunichar) -1 || c == (gunichar) -2)
     {
-      gchar *temp = g_strdup_printf ("\\x%02x", (guint)(guchar)*utf8);
+      guchar ch = (max_len > 0) ? (guchar) *utf8 : 0;
+      gchar *temp = g_strdup_printf ("\\x%02x", (guint) ch);
       memset (buf, 0, 8);
       memcpy (buf, temp, strlen (temp));
       g_free (temp);
@@ -1222,7 +1224,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                          _("“%s” is not a valid character following "
                            "a “<” character; it may not begin an "
                            "element name"),
-                         utf8_str (context->iter, buf));
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf));
             }
           break;
 
@@ -1263,7 +1266,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                          G_MARKUP_ERROR_PARSE,
                          _("Odd character “%s”, expected a “>” character "
                            "to end the empty-element tag “%s”"),
-                         utf8_str (context->iter, buf),
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf),
                          current_element (context));
             }
           break;
@@ -1344,7 +1348,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                              G_MARKUP_ERROR_PARSE,
                              _("Odd character “%s”, expected a “=” after "
                                "attribute name “%s” of element “%s”"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              current_attribute (context),
                              current_element (context));
 
@@ -1388,7 +1393,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                                "element “%s”, or optionally an attribute; "
                                "perhaps you used an invalid character in "
                                "an attribute name"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              current_element (context));
                 }
 
@@ -1430,7 +1436,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                              _("Odd character “%s”, expected an open quote mark "
                                "after the equals sign when giving value for "
                                "attribute “%s” of element “%s”"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              current_attribute (context),
                              current_element (context));
                 }
@@ -1563,8 +1570,10 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                          _("“%s” is not a valid character following "
                            "the characters “</”; “%s” may not begin an "
                            "element name"),
-                         utf8_str (context->iter, buf),
-                         utf8_str (context->iter, buf));
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf),
+                         utf8_str (context->iter,
+                                   context->current_text_end - context->iter, buf));
             }
           break;
 
@@ -1599,7 +1608,8 @@ g_markup_parse_context_parse (GMarkupParseContext  *context,
                              _("“%s” is not a valid character following "
                                "the close element name “%s”; the allowed "
                                "character is “>”"),
-                             utf8_str (context->iter, buf),
+                             utf8_str (context->iter,
+                                       context->current_text_end - context->iter, buf),
                              close_name->str);
                 }
               else if (context->tag_stack == NULL)
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]