In some MB encodings, there are MB upper/lower characters, and MB chars can be
standardised using strupper_m and strlower_m.
These two functions assume no change in size of string before and after the
conversion, and the buffer size is fixed to the lenght of the string before
the conversion. However, for some encodings like EUCJP-MS, this is not the
case. For some MB chars, the size of the string grow after the strlower_m.
If such a special character appears in a string, then the converted string
would exceed the buffer allocated. It would be terminated before the end,
hence some strings may not be converted properly.
This is non-trivial to fix in Samba 3.0. The buffer size is not passed down to
strupper_m or strlower_m so it's hard to allow arbitrary string
extension in these functions. How do you know where to allow the
zero termination ?
The only safe way to do this is to force an upper bound on strlower_m and
strupper_m of something like a pstring length and ensure all callers have
this amount of space available.
won't fix this in Samba 3.