Commit 32e5cab5 authored by Chengwei Yang's avatar Chengwei Yang Committed by Simon McVittie
Browse files

Fix: a non ascii byte will trigger BadAddress error

If a byte in DBusString *unescaped isn't a ascii byte, which will be
cast to char (signed char on most of platform), so that's the issue
unsigned char cast to signed char. e.g. "\303\266" is a valid unicode
character, if everything goes right, it will be escaped to "%c3%b6".
However, in fact, it escaped to "%<garbage-byte>3%<garbage-byte>6".

_dbus_string_append_byte_as_hex() take an int parameter, so negative
byte is valid, but cause get a negative index in array. So garbage value
will get. e.g. '\303' --> hexdigits[((signed byte)(-61)) >> 4] is
hexdigits[-4].

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=53499

Sgne-off-by: default avatarChengwei Yang <chengwei.yang@intel.com>
[fixed whitespace -smcv]
Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
parent 160fbc9e
......@@ -104,15 +104,15 @@ dbus_bool_t
_dbus_address_append_escaped (DBusString *escaped,
const DBusString *unescaped)
{
const char *p;
const char *end;
const unsigned char *p;
const unsigned char *end;
dbus_bool_t ret;
int orig_len;
ret = FALSE;
orig_len = _dbus_string_get_length (escaped);
p = _dbus_string_get_const_data (unescaped);
p = (const unsigned char *) _dbus_string_get_const_data (unescaped);
end = p + _dbus_string_get_length (unescaped);
while (p != end)
{
......
......@@ -2228,7 +2228,7 @@ _dbus_string_starts_with_c_str (const DBusString *a,
*/
dbus_bool_t
_dbus_string_append_byte_as_hex (DBusString *str,
int byte)
unsigned char byte)
{
const char hexdigits[16] = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
......
......@@ -259,7 +259,7 @@ void _dbus_string_delete_first_word (DBusString *str);
void _dbus_string_delete_leading_blanks (DBusString *str);
void _dbus_string_chop_white (DBusString *str);
dbus_bool_t _dbus_string_append_byte_as_hex (DBusString *str,
int byte);
unsigned char byte);
dbus_bool_t _dbus_string_hex_encode (const DBusString *source,
int start,
DBusString *dest,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment