enh(Foundation): #4690: protect against buffer overflow caused by bug…

…gy TextEncoding implementations
pocoproject · Sep 26, 2024 · 54bc0fc · 54bc0fc
1 parent ce9c08a
commit 54bc0fc
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/Foundation/src/TextBufferIterator.cpp b/Foundation/src/TextBufferIterator.cpp
@@ -102,6 +102,7 @@ int TextBufferIterator::operator * () const
 
 	unsigned char buffer[TextEncoding::MAX_SEQUENCE_LENGTH];
 	unsigned char* p = buffer;
+	unsigned char* pend = p + TextEncoding::MAX_SEQUENCE_LENGTH;
 
 	if (it != _end)
 		*p++ = *it++;
@@ -115,6 +116,7 @@ int TextBufferIterator::operator * () const
 	{
 		while (read < -n && it != _end)
 		{
+			poco_assert(p != pend);
 			*p++ = *it++;
 			read++;
 		}

diff --git a/Foundation/src/TextIterator.cpp b/Foundation/src/TextIterator.cpp
@@ -99,6 +99,7 @@ int TextIterator::operator * () const
 
 	unsigned char buffer[TextEncoding::MAX_SEQUENCE_LENGTH];
 	unsigned char* p = buffer;
+	unsigned char* pend = p + TextEncoding::MAX_SEQUENCE_LENGTH;
 
 	if (it != _end)
 		*p++ = *it++;
@@ -112,6 +113,7 @@ int TextIterator::operator * () const
 	{
 		while (read < -n && it != _end)
 		{
+			poco_assert(p != pend);
 			*p++ = *it++;
 			read++;
 		}

diff --git a/Foundation/testsuite/src/TextIteratorTest.cpp b/Foundation/testsuite/src/TextIteratorTest.cpp
@@ -15,12 +15,14 @@
 #include "Poco/Latin1Encoding.h"
 #include "Poco/UTF8Encoding.h"
 #include "Poco/UTF16Encoding.h"
+#include "Poco/UTF32Encoding.h"
 
 
 using Poco::TextIterator;
 using Poco::Latin1Encoding;
 using Poco::UTF8Encoding;
 using Poco::UTF16Encoding;
+using Poco::UTF32Encoding;
 
 
 TextIteratorTest::TextIteratorTest(const std::string& name): CppUnit::TestCase(name)
@@ -242,6 +244,36 @@ void TextIteratorTest::testSwap()
 }
 
 
+void TextIteratorTest::testUTF32Invalid1()
+{
+	UTF32Encoding encoding;
+	const Poco::UInt32 data[] = {0x00000041, 0xffffffef, 0x00000041, 0x00000041, 0x00000041, 0x00000041, 0x00};
+	std::string text((const char*) data, 24);
+	TextIterator it(text, encoding);
+	TextIterator end(text);
+
+	assertTrue (it != end);
+	assertTrue (*it++ == 0x41);
+	assertTrue (it != end);
+	assertTrue (*it++ == -1);
+}
+
+
+void TextIteratorTest::testUTF32Invalid2()
+{
+	UTF32Encoding encoding;
+	const Poco::UInt32 data[] = {0x00000041, 0xfffffffe, 0xfffffffe, 0x00};
+	std::string text((const char*) data, 12);
+	TextIterator it(text, encoding);
+	TextIterator end(text);
+
+	assertTrue (it != end);
+	assertTrue (*it++ == 0x41);
+	assertTrue (it != end);
+	assertTrue (*it++ == -1);
+}
+
+
 void TextIteratorTest::setUp()
 {
 }
@@ -265,6 +297,8 @@ CppUnit::Test* TextIteratorTest::suite()
 	CppUnit_addTest(pSuite, TextIteratorTest, testUTF8Supplementary);
 	CppUnit_addTest(pSuite, TextIteratorTest, testUTF16Supplementary);
 	CppUnit_addTest(pSuite, TextIteratorTest, testSwap);
+	CppUnit_addTest(pSuite, TextIteratorTest, testUTF32Invalid1);
+	CppUnit_addTest(pSuite, TextIteratorTest, testUTF32Invalid2);
 
 	return pSuite;
 }
diff --git a/Foundation/testsuite/src/TextIteratorTest.h b/Foundation/testsuite/src/TextIteratorTest.h
@@ -33,6 +33,8 @@ class TextIteratorTest: public CppUnit::TestCase
 	void testUTF8Supplementary();
 	void testUTF16Supplementary();
 	void testSwap();
+	void testUTF32Invalid1();
+	void testUTF32Invalid2();
 
 	void setUp();
 	void tearDown();