From eb52da21d72faa3d00b1205a5a0fdbabc45c9e6d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 25 Sep 2015 17:31:53 -0400 Subject: [PATCH] Fix minor utf8-to-ucs2s read overrun bug k5_utf8s_to_ucs2s() reads and ignores one extra byte from the input string before terminating its loop, possibly overrunning the input buffer of its caller. This overrun is typically without consequence, but can show up in tools like asan or valgrind during RC4 string-to-key operations. Fix the bug by swapping the order of the loop conditions. ticket: 8253 (new) target_version: 1.14 tags: pullup --- src/util/support/utf8_conv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/support/utf8_conv.c b/src/util/support/utf8_conv.c index 1f6cc8f6a6..80ca90b139 100644 --- a/src/util/support/utf8_conv.c +++ b/src/util/support/utf8_conv.c @@ -84,7 +84,7 @@ k5_utf8s_to_ucs2s(krb5_ucs2 *ucs2str, } /* Examine next UTF-8 character. */ - while (*utf8str && ucs2len < count) { + while (ucs2len < count && *utf8str != '\0') { /* Get UTF-8 sequence length from 1st byte */ utflen = KRB5_UTF8_CHARLEN2(utf8str, utflen); -- 2.47.3