7200277: [parfait] potential buffer overflow in npt/utf.c
Reviewed-by: dsamersoff, dcubed
--- a/jdk/src/share/npt/utf.c Fri Sep 20 17:56:54 2013 +0400
+++ b/jdk/src/share/npt/utf.c Fri Sep 20 16:40:32 2013 +0200
@@ -105,18 +105,24 @@
code = utf16[i];
if ( code >= 0x0001 && code <= 0x007F ) {
+ if ( outputLen + 1 >= outputMaxLen ) {
+ return -1;
+ }
output[outputLen++] = code;
} else if ( code == 0 || ( code >= 0x0080 && code <= 0x07FF ) ) {
+ if ( outputLen + 2 >= outputMaxLen ) {
+ return -1;
+ }
output[outputLen++] = ((code>>6) & 0x1F) | 0xC0;
output[outputLen++] = (code & 0x3F) | 0x80;
} else if ( code >= 0x0800 && code <= 0xFFFF ) {
+ if ( outputLen + 3 >= outputMaxLen ) {
+ return -1;
+ }
output[outputLen++] = ((code>>12) & 0x0F) | 0xE0;
output[outputLen++] = ((code>>6) & 0x3F) | 0x80;
output[outputLen++] = (code & 0x3F) | 0x80;
}
- if ( outputLen > outputMaxLen ) {
- return -1;
- }
}
output[outputLen] = 0;
return outputLen;
@@ -412,12 +418,15 @@
unsigned byte;
byte = bytes[i];
- if ( outputLen >= outputMaxLen ) {
- return -1;
- }
if ( byte <= 0x7f && isprint(byte) && !iscntrl(byte) ) {
+ if ( outputLen + 1 >= outputMaxLen ) {
+ return -1;
+ }
output[outputLen++] = (char)byte;
} else {
+ if ( outputLen + 4 >= outputMaxLen ) {
+ return -1;
+ }
(void)sprintf(output+outputLen,"\\x%02x",byte);
outputLen += 4;
}