From: Florian Zumbiehl Date: Wed, 2 Sep 2009 20:52:55 +0000 (+0200) Subject: libblkid: fix buffer overflow in blkid_encode_string() X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6995be9f5a861f5027fe742c9d530eefdd4b0661;p=util-linux libblkid: fix buffer overflow in blkid_encode_string() [kzak@redhat.com: - this is patch is originally from udev repository commit 8cfcf9980a3a7037a12a3052c38e4981cb0f0190] Signed-off-by: Karel Zak --- diff --git a/shlibs/blkid/src/encode.c b/shlibs/blkid/src/encode.c index d45a292e..0317be1f 100644 --- a/shlibs/blkid/src/encode.c +++ b/shlibs/blkid/src/encode.c @@ -243,28 +243,35 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len) { size_t i, j; - if (str == NULL || str_enc == NULL || len == 0) + if (str == NULL || str_enc == NULL) return -1; - str_enc[0] = '\0'; for (i = 0, j = 0; str[i] != '\0'; i++) { int seqlen; seqlen = utf8_encoded_valid_unichar(&str[i]); if (seqlen > 1) { + if (len-j < (size_t)seqlen) + goto err; memcpy(&str_enc[j], &str[i], seqlen); j += seqlen; i += (seqlen-1); } else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) { + if (len-j < 4) + goto err; sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]); j += 4; } else { + if (len-j < 1) + goto err; str_enc[j] = str[i]; j++; } if (j+3 >= len) goto err; } + if (len-j < 1) + goto err; str_enc[j] = '\0'; return 0; err: