luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-04-03 22:33:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

gmarkup: Avoid reading off the end of a buffer when non-nul-terminated

Browse Source 
When extracting a UTF-8 character to put in an error message on parse
failure, pass the remaining buffer length to utf8_str() to avoid it
running off the end of the input buffer. It previously assumed that the
buffer was nul-terminated, which was the case in all the tests until
now.

A following commit will add test coverage for this.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
This commit is contained in:
Philip Withnall 2018-10-26 23:06:37 +13:00
parent f502141f98
commit 3a961236dd
1 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
glib/gmarkup.c
View File

@ -562,12 +562,14 @@ char_str (gunichar c,
* emitting it as hex escapes. */ * emitting it as hex escapes. */
static gchar* static gchar*
utf8_str (const gchar *utf8, utf8_str (const gchar *utf8,
gsize max_len,
gchar *buf) gchar *buf)
{ {
gunichar c = g_utf8_get_char_validated (utf8, -1); gunichar c = g_utf8_get_char_validated (utf8, max_len);
if (c == (gunichar) -1 || c == (gunichar) -2) if (c == (gunichar) -1 || c == (gunichar) -2)
{ {
gchar *temp = g_strdup_printf ("\\x%02x", (guint)(guchar)*utf8); guchar ch = (max_len > 0) ? (guchar) *utf8 : 0;
gchar *temp = g_strdup_printf ("\\x%02x", (guint) ch);
memset (buf, 0, 8); memset (buf, 0, 8);
memcpy (buf, temp, strlen (temp)); memcpy (buf, temp, strlen (temp));
g_free (temp); g_free (temp);
@ -1222,7 +1224,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
_("“%s” is not a valid character following " _("“%s” is not a valid character following "
"a “<” character; it may not begin an " "a “<” character; it may not begin an "
"element name"), "element name"),
utf8_str (context->iter, buf)); utf8_str (context->iter,
context->current_text_end - context->iter, buf));
} }
break; break;
@ -1263,7 +1266,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
G_MARKUP_ERROR_PARSE, G_MARKUP_ERROR_PARSE,
_("Odd character “%s”, expected a “>” character " _("Odd character “%s”, expected a “>” character "
"to end the empty-element tag “%s”"), "to end the empty-element tag “%s”"),
utf8_str (context->iter, buf), utf8_str (context->iter,
context->current_text_end - context->iter, buf),
current_element (context)); current_element (context));
} }
break; break;
@ -1344,7 +1348,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
G_MARKUP_ERROR_PARSE, G_MARKUP_ERROR_PARSE,
_("Odd character “%s”, expected a “=” after " _("Odd character “%s”, expected a “=” after "
"attribute name “%s” of element “%s”"), "attribute name “%s” of element “%s”"),
utf8_str (context->iter, buf), utf8_str (context->iter,
context->current_text_end - context->iter, buf),
current_attribute (context), current_attribute (context),
current_element (context)); current_element (context));
@ -1388,7 +1393,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
"element “%s”, or optionally an attribute; " "element “%s”, or optionally an attribute; "
"perhaps you used an invalid character in " "perhaps you used an invalid character in "
"an attribute name"), "an attribute name"),
utf8_str (context->iter, buf), utf8_str (context->iter,
context->current_text_end - context->iter, buf),
current_element (context)); current_element (context));
} }
@ -1430,7 +1436,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
_("Odd character “%s”, expected an open quote mark " _("Odd character “%s”, expected an open quote mark "
"after the equals sign when giving value for " "after the equals sign when giving value for "
"attribute “%s” of element “%s”"), "attribute “%s” of element “%s”"),
utf8_str (context->iter, buf), utf8_str (context->iter,
context->current_text_end - context->iter, buf),
current_attribute (context), current_attribute (context),
current_element (context)); current_element (context));
} }
@ -1563,8 +1570,10 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
_("“%s” is not a valid character following " _("“%s” is not a valid character following "
"the characters “</”; “%s” may not begin an " "the characters “</”; “%s” may not begin an "
"element name"), "element name"),
utf8_str (context->iter, buf), utf8_str (context->iter,
utf8_str (context->iter, buf)); context->current_text_end - context->iter, buf),
utf8_str (context->iter,
context->current_text_end - context->iter, buf));
} }
break; break;
@ -1599,7 +1608,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
_("“%s” is not a valid character following " _("“%s” is not a valid character following "
"the close element name “%s”; the allowed " "the close element name “%s”; the allowed "
"character is “>”"), "character is “>”"),
utf8_str (context->iter, buf), utf8_str (context->iter,
context->current_text_end - context->iter, buf),
close_name->str); close_name->str);
} }
else if (context->tag_stack == NULL) else if (context->tag_stack == NULL)