Fix integer overflow in utf{16,32}_to_utf8_length

Without an explicit check, the return value can wrap around and return a value that is far too small to hold the data from the resulting conversion. No SafetyNet logging is included because when included aapt fails to link in lmp-mr1-dev. No CTS test is provided because it would need to allocate at least SSIZE_MAX / 2 bytes of UTF-16 data, which is unreasonable on 64-bit devices. Bug: 37723026 Test: run cts -p android.security Change-Id: Ice276dc3a5b62ad389b2e9b8caf670c76b7e5218 Merged-In: Ie2606b92b9eab1acfe8ce4663b43b81156a4cad7
2017-08-14 15:51:29 +01:00 · 2017-08-14 15:51:29 +01:00 · c17624db31
commit c17624db31
parent 6fdfd58fe1
1 changed files with 19 additions and 3 deletions
--- a/libutils/Unicode.cpp
+++ b/libutils/Unicode.cpp
@ -18,6 +18,7 @@
 #include <utils/Unicode.h>

 #include <stddef.h>
+#include <limits.h>

 #ifdef HAVE_WINSOCK
 # undef  nhtol
@ -184,7 +185,14 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len)
    size_t ret = 0;
    const char32_t *end = src + src_len;
    while (src < end) {
-        ret += utf32_codepoint_utf8_length(*src++);
+        size_t char_len = utf32_codepoint_utf8_length(*src++);
+        if (SSIZE_MAX - char_len < ret) {
+            // If this happens, we would overflow the ssize_t type when
+            // returning from this function, so we cannot express how
+            // long this string is in an ssize_t.
+            return -1;
+        }
+        ret += char_len;
    }
    return ret;
 }
@ -420,14 +428,22 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
    size_t ret = 0;
    const char16_t* const end = src + src_len;
    while (src < end) {
+        size_t char_len;
        if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
                && (*(src + 1) & 0xFC00) == 0xDC00) {
            // surrogate pairs are always 4 bytes.
-            ret += 4;
+            char_len = 4;
            src += 2;
        } else {
-            ret += utf32_codepoint_utf8_length((char32_t) *src++);
+            char_len = utf32_codepoint_utf8_length((char32_t)*src++);
        }
+        if (SSIZE_MAX - char_len < ret) {
+            // If this happens, we would overflow the ssize_t type when
+            // returning from this function, so we cannot express how
+            // long this string is in an ssize_t.
+            return -1;
+        }
+        ret += char_len;
    }
    return ret;
 }