Attachment 16586 Details for Bug 14684 – The fix

[patch] The fix

patch.txt (text/plain), 3.29 KB, created by Douglas Bagnall on 2021-04-08 09:24:55 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Douglas Bagnall

Created: 2021-04-08 09:24:55 UTC

Size: 3.29 KB

patch

obsolete

>From e7cc91845134cde3b3f37b735bf86fa0b1571983 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Thu, 8 Apr 2021 21:18:46 +1200
>Subject: [PATCH 1/2] util/iconv: reject improperly packed UTF-8
>
>If we allow a string that encodes say '\0' as a multi-byte sequence,
>we are open to confusion where we mix NUL terminated strings with
>sized data blobs, which is to say EVERYWHERE.
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> lib/util/charset/iconv.c | 32 +++++++++++++++++++++-----------
> 1 file changed, 21 insertions(+), 11 deletions(-)
>
>diff --git a/lib/util/charset/iconv.c b/lib/util/charset/iconv.c
>index 1f2d49c0e27..43b3306b0de 100644
>--- a/lib/util/charset/iconv.c
>+++ b/lib/util/charset/iconv.c
>@@ -832,6 +832,11 @@ static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft,
> 			}
> 			uc[1] = (c[0]>>2) & 0x7;
> 			uc[0] = (c[0]<<6) | (c[1]&0x3f);
>+			if (uc[1] == 0 && uc[0] < 0x80) {
>+				/* this should have been a single byte */
>+				errno = EILSEQ;
>+				goto error;
>+			}
> 			c  += 2;
> 			in_left  -= 2;
> 			out_left -= 2;
>@@ -840,14 +845,24 @@ static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft,
> 		}
> 
> 		if ((c[0] & 0xf0) == 0xe0) {
>+			unsigned int codepoint;
> 			if (in_left < 3 ||
> 			    (c[1] & 0xc0) != 0x80 ||
> 			    (c[2] & 0xc0) != 0x80) {
> 				errno = EILSEQ;
> 				goto error;
> 			}
>-			uc[1] = ((c[0]&0xF)<<4) | ((c[1]>>2)&0xF);
>-			uc[0] = (c[1]<<6) | (c[2]&0x3f);
>+			codepoint = ((c[2] & 0x3f)        |
>+				     ((c[1] & 0x3f) << 6) |
>+				     ((c[0] & 0x0f) << 12));
>+
>+			if (codepoint < 0x800) {
>+				/* this should be a 1 or 2 byte sequence */
>+				errno = EILSEQ;
>+				goto error;
>+			}
>+			uc[0] = codepoint & 0xff;
>+			uc[1] = codepoint >> 8;
> 			c  += 3;
> 			in_left  -= 3;
> 			out_left -= 2;
>@@ -870,15 +885,10 @@ static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft,
> 				((c[1]&0x3f)<<12) |
> 				((c[0]&0x7)<<18);
> 			if (codepoint < 0x10000) {
>-				/* accept UTF-8 characters that are not
>-				   minimally packed, but pack the result */
>-				uc[0] = (codepoint & 0xFF);
>-				uc[1] = (codepoint >> 8);
>-				c += 4;
>-				in_left -= 4;
>-				out_left -= 2;
>-				uc += 2;
>-				continue;
>+				/* reject UTF-8 characters that are not
>+				   minimally packed */
>+				errno = EILSEQ;
>+				goto error;
> 			}
> 
> 			codepoint -= 0x10000;
>-- 
>2.20.1
>
>
>From 4efc3605fdb00dedc50bd6a4f13f5a3fba88a366 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Thu, 8 Apr 2021 21:20:17 +1200
>Subject: [PATCH 2/2] util/charset: warn loudly on unexpected E2BIG
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> lib/util/charset/convert_string.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
>index 96a3af68d27..88b128be547 100644
>--- a/lib/util/charset/convert_string.c
>+++ b/lib/util/charset/convert_string.c
>@@ -435,8 +435,8 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
> 				break;
> 			case E2BIG:
> 				reason = "output buffer is too small";
>-				DBG_NOTICE("Conversion error: %s\n",
>-					   reason);
>+				DBG_ERR("Conversion error: %s\n",
>+					reason);
> 				break;
> 			case EILSEQ:
> 				reason="Illegal multibyte sequence";
>-- 
>2.20.1
>

Actions: View

Attachments on bug 14684: 16580 | 16581 | 16582 | 16583 | 16584 | 16585 | 16586 | 16655 | 16656