Avoid small read overrun in UTF8 normalization

In krb5int_utf8_normalize(), check the length of the current character
against the buffer length before reading more than one byte.  Credit
to OSS-Fuzz for discovering the overrun.

ticket: 9072 (new)

diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c
index 21030bf255309124bb9cf94434b3c945012f0bb0..e3ed9bc64a1ba2052b8972cd42c6a728b59cbd9c 100644 (file)
--- a/src/lib/krb5/unicode/ucstr.c
+++ b/src/lib/krb5/unicode/ucstr.c
@@ -199,6 +199,12 @@ krb5int_utf8_normalize(
        /* s[i] is non-ascii */
        /* convert everything up to next ascii to ucs-4 */
        while (i < len) {
+           /* KRB5_UTF8_CHARLEN only looks at the first byte; use it to guard
+            * against small read overruns. */
+           if (KRB5_UTF8_CHARLEN(s + i) > len - i) {
+               retval = KRB5_ERR_INVALID_UTF8;
+               goto cleanup;
+           }
            clen = KRB5_UTF8_CHARLEN2(s + i, clen);
            if (clen == 0) {
                retval = KRB5_ERR_INVALID_UTF8;