From 2ba6ded493bfd81b278da1469b4a3d0e7b306bb2 Mon Sep 17 00:00:00 2001 From: Aurelien David Date: Mon, 13 Feb 2023 15:42:10 +0100 Subject: [PATCH] [PATCH] fix a5efec8 to cover more cases (#2397) Gbp-Pq: Name CVE-2023-0818.patch --- src/filters/load_text.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/filters/load_text.c b/src/filters/load_text.c index 5914505..8a103f3 100644 --- a/src/filters/load_text.c +++ b/src/filters/load_text.c @@ -246,18 +246,24 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod if (!unicode_type && (szLine[i] & 0x80)) { /*non UTF8 (likely some win-CP)*/ if ((szLine[i+1] & 0xc0) != 0x80) { + if (j >= GF_ARRAY_LENGTH(szLineConv)) + break; szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 ); j++; szLine[i] &= 0xbf; } /*UTF8 2 bytes char*/ else if ( (szLine[i] & 0xe0) == 0xc0) { + if (j >= GF_ARRAY_LENGTH(szLineConv)) + break; szLineConv[j] = szLine[i]; i++; j++; } /*UTF8 3 bytes char*/ else if ( (szLine[i] & 0xf0) == 0xe0) { + if (j+1 >= GF_ARRAY_LENGTH(szLineConv)) + break; szLineConv[j] = szLine[i]; i++; j++; @@ -267,6 +273,8 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod } /*UTF8 4 bytes char*/ else if ( (szLine[i] & 0xf8) == 0xf0) { + if (j+2 >= GF_ARRAY_LENGTH(szLineConv)) + break; szLineConv[j] = szLine[i]; i++; j++; @@ -281,9 +289,17 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod continue; } } + + if (j >= GF_ARRAY_LENGTH(szLineConv)) + break; + szLineConv[j] = szLine[i]; j++; } + if ( j >= GF_ARRAY_LENGTH(szLineConv) ) { + GF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, ("[TXTIn] Line too long to convert to utf8 (len: %d)\n", len)); + j = GF_ARRAY_LENGTH(szLineConv) -1 ; + } szLineConv[j] = 0; strcpy(szLine, szLineConv); return sOK; -- 2.30.2