[xerces-c] branch xerces-3.2 updated: ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow

Mon, 23 Aug 2021 22:20:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

rleigh pushed a commit to branch xerces-3.2
in repository https://gitbox.apache.org/repos/asf/xerces-c.git


The following commit(s) were added to refs/heads/xerces-3.2 by this push:
     new 4d35954  ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow
     new 19428fb  Merge pull request #25 from 
rouault/fix_gdal_ossfuzz_35373_backport_3_2
4d35954 is described below

commit 4d359541505a5554c2cc6353290593dc7db7a925
Author: Even Rouault <[email protected]>
AuthorDate: Tue Aug 10 12:20:35 2021 +0200

    ICUTranscoder::transcodeFrom(): fix read heap-buffer-overflow
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35373
    
    When charsDecoded == 0, the line ``for (index = 0; index < charsDecoded
    - 1; index++)`` will cause to read out of bounds of fSrcOffsets, due to
    unsigned integer underflow rules.
---
 src/xercesc/util/Transcoders/ICU/ICUTransService.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp 
b/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
index 0ebcd37..ed7fb91 100644
--- a/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
+++ b/src/xercesc/util/Transcoders/ICU/ICUTransService.cpp
@@ -563,7 +563,7 @@ ICUTranscoder::transcodeFrom(const  XMLByte* const          
srcData
         {
             charSizes[0] = (unsigned char)bytesEaten;
         }
-        else
+        else if( charsDecoded > 0 )
         {
             //  ICU does not return an extra element to allow us to figure
             //  out the last char size, so we have to compute it from the
@@ -574,10 +574,9 @@ ICUTranscoder::transcodeFrom(const  XMLByte* const         
 srcData
                 charSizes[index] = (unsigned char)(fSrcOffsets[index + 1]
                                                     - fSrcOffsets[index]);
             }
-            if( charsDecoded > 0 ) {
-                charSizes[charsDecoded - 1] = (unsigned char)(bytesEaten
-                                              - fSrcOffsets[charsDecoded - 1]);
-            }
+
+            charSizes[charsDecoded - 1] = (unsigned char)(bytesEaten
+                                          - fSrcOffsets[charsDecoded - 1]);
         }
     }
 

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to