From: Tom Yu Date: Wed, 13 May 2009 20:41:37 +0000 (+0000) Subject: In util/support/utf8_conv.c, the SWAP16 macro is invoked with an X-Git-Tag: krb5-1.8-alpha1~478 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9c6c6de0ac5b08c31585350309cb85964b8e01e1;p=krb5.git In util/support/utf8_conv.c, the SWAP16 macro is invoked with an argument that has side effects. On platforms where SWAP16 can evaluate its argument twice (including platforms where utf8_conv.c creates a fallback definition for the SWAP16 macro), this can cause a read overrun by a factor of two. Rearrange the data flow to avoid calling SWAP16 with an argument that has side effects. ticket: 6486 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22348 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/util/support/utf8_conv.c b/src/util/support/utf8_conv.c index f8e4a496b..f972565f9 100644 --- a/src/util/support/utf8_conv.c +++ b/src/util/support/utf8_conv.c @@ -268,12 +268,11 @@ k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str, { while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) { /* Get UTF-8 size of next wide char */ + ch = *ucs2str++; #ifdef K5_BE if (little_endian) - ch = SWAP16(*ucs2str++); - else + ch = SWAP16(ch); #endif - ch = *ucs2str++; n = krb5int_ucs2_to_utf8(ch, NULL); if (n < 1) @@ -290,12 +289,11 @@ k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str, n = 1; /* In case of empty ucs2str */ while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) { + ch = *ucs2str++; #ifdef K5_BE if (little_endian) - ch = SWAP16(*ucs2str++); - else + ch = SWAP16(ch); #endif - ch = *ucs2str++; n = krb5int_ucs2_to_utf8(ch, p);