In util/support/utf8_conv.c, the SWAP16 macro is invoked with an
authorTom Yu <tlyu@mit.edu>
Wed, 13 May 2009 20:41:37 +0000 (20:41 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 13 May 2009 20:41:37 +0000 (20:41 +0000)
argument that has side effects.  On platforms where SWAP16 can
evaluate its argument twice (including platforms where utf8_conv.c
creates a fallback definition for the SWAP16 macro), this can cause a
read overrun by a factor of two.

Rearrange the data flow to avoid calling SWAP16 with an argument that
has side effects.

ticket: 6486
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22348 dc483132-0cff-0310-8789-dd5450dbe970

src/util/support/utf8_conv.c

index f8e4a496bc5f465435a7446c73619b92f0d65977..f972565f90630717bfe3901e38efdcc302f15c13 100644 (file)
@@ -268,12 +268,11 @@ k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str,
     {
        while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) {
            /* Get UTF-8 size of next wide char */
+         ch = *ucs2str++;
 #ifdef K5_BE
            if (little_endian)
-               ch = SWAP16(*ucs2str++);
-           else
+               ch = SWAP16(ch);
 #endif
-               ch = *ucs2str++;
 
            n = krb5int_ucs2_to_utf8(ch, NULL);
            if (n < 1)
@@ -290,12 +289,11 @@ k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str,
 
     n = 1;                                     /* In case of empty ucs2str */
     while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) {
+      ch = *ucs2str++;
 #ifdef K5_BE
        if (little_endian)
-           ch = SWAP16(*ucs2str++);
-       else
+           ch = SWAP16(ch);
 #endif
-           ch = *ucs2str++;
 
        n = krb5int_ucs2_to_utf8(ch, p);