[Pkg-samba-maint] [samba] 07/19: CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
Jelmer Vernooij
jelmer at moszumanska.debian.org
Fri Dec 18 13:08:28 UTC 2015
This is an automated email from the git hooks/post-receive script.
jelmer pushed a commit to branch upstream_4.3
in repository samba.
commit 8d718586d3f53baff81adfccb17da98e1ad029fd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 24 13:49:09 2015 +1300
CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
When a codepoint eats more than one byte we really want to know,
especially if the string is not NUL terminated.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
lib/util/charset/util_unistr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c
index f299269..2cc8718 100644
--- a/lib/util/charset/util_unistr.c
+++ b/lib/util/charset/util_unistr.c
@@ -110,11 +110,12 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle,
return NULL;
}
- while (n-- && *src) {
+ while (n && *src) {
size_t c_size;
codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
CH_UNIX, &c_size);
src += c_size;
+ n -= c_size;
c = toupper_m(c);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list