overflows the string if it encounters a truncated sequence, e.g. a trailing % or %u with less than 4 hex chars.
The testsuite seems to assume that these are legal inputs. I would like to add some overflow checks and errors, instead of decoding uninitialized memory or segfaulting.
There are also no checks if the sequences are valid hex values, maybe that should also be caught?
arne
On 10/16/14 20:45, Per Hedbor () @ Pike (-) developers forum wrote:
overflows the string if it encounters a truncated sequence, e.g. a trailing % or %u with less than 4 hex chars.
The old code relied on the null character after the last character in the string, but that changed when it started to accept widestrings.
The actual decoding code has (and had) proper length checks, but the code scanning for the resulting string length did access out of bounds (even after the null byte). Its not so very likely to actually generate a segfault, but depending on where it has being allocated, that could happen.
if (foo[2] != '0' || foo[3] != '0') {
If the string ends with %u, foo[2] would be the trailing null.
I commited a fix to 8.1, but it will throw an error if a truncated sequence is encountered. If that is not what we want for compatibility reasons, I can revert that and just make sure the code does not read after the null.
arne
pike-devel@lists.lysator.liu.se
-
Arne Goedeke -
Per Hedbor () @ Pike (-) developers forum