Author: ivan
Date: Mon Apr 27 19:00:23 2026
New Revision: 1933404
Log:
Fix potential integer overflow in svn_subr__win32_xlate_to_stringbuf().
* subversion/libsvn_subr/win32_xlate.c
(svn_subr__win32_xlate_to_stringbuf): Check that src_length is less than
INT_MAX. Otherwise return ERROR_INVALID_PARAMETER.
Modified:
subversion/trunk/subversion/libsvn_subr/win32_xlate.c
Modified: subversion/trunk/subversion/libsvn_subr/win32_xlate.c
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/win32_xlate.c Mon Apr 27
18:45:04 2026 (r1933403)
+++ subversion/trunk/subversion/libsvn_subr/win32_xlate.c Mon Apr 27
19:00:23 2026 (r1933404)
@@ -205,8 +205,14 @@ svn_subr__win32_xlate_to_stringbuf(svn_s
return APR_SUCCESS;
}
- retval = MultiByteToWideChar(handle->from_page_id, 0, src_data, src_length,
- NULL, 0);
+ /* Use ERROR_INVALID_PARAMETER in case of integer overflow:
+ MultiByteToWideChar() returns ERROR_INVALID_PARAMETER in case source
+ string is longer than 2GB and cbMultiByte is -1 (use strlen). */
+ if (src_length > INT_MAX)
+ return APR_FROM_OS_ERROR(ERROR_INVALID_PARAMETER);
+
+ retval = MultiByteToWideChar(handle->from_page_id, 0, src_data,
+ (int)src_length, NULL, 0);
if (retval == 0)
return apr_get_os_error();
@@ -222,8 +228,8 @@ svn_subr__win32_xlate_to_stringbuf(svn_s
wide_str = apr_palloc(pool, wide_size * sizeof(WCHAR));
}
- retval = MultiByteToWideChar(handle->from_page_id, 0, src_data, src_length,
- wide_str, wide_size);
+ retval = MultiByteToWideChar(handle->from_page_id, 0, src_data,
+ (int)src_length, wide_str, wide_size);
if (retval == 0)
return apr_get_os_error();
