Skip to content

Commit

Permalink
dp.h: check _ucs2size in format_ucs2()
Browse files Browse the repository at this point in the history 
When memcpy() is called in format_ucs2(), the value of ucs2size - sizeof(uint16_t) is not checked. It may result in out-of-bounds writing due to integer underflow.

Signed-off-by: century6 <[email protected]>
  • Loading branch information
@century6 @vathpela
century6 authored and vathpela committed Jan 29, 2024
1 parent ab3cf61 commit 573be47
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/dp.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ format_vendor_helper(unsigned char *buf, size_t size, char *label,
uint16_t *_ucs2buf; \
uint32_t _ucs2size = sizeof(uint16_t) * len; \
_ucs2buf = alloca(_ucs2size); \
if (_ucs2buf == NULL) \
if (_ucs2buf == NULL || _ucs2size < sizeof(uint16_t)) \
return -1; \
memset(_ucs2buf, '\0', _ucs2size); \
memcpy(_ucs2buf, str, _ucs2size - sizeof(uint16_t)); \
Expand Down

0 comments on commit 573be47

Please sign in to comment.