search

mer-hybris / libgbinder

GLib-style interface to binder
BSD 3-Clause "New" or "Revised" License
51 stars 40 forks source link

[gbinder] Calculate correct size for UTF-16 buffer in advance. Fixes JB#61524 #122

Closed abranson closed 7 months ago

abranson commented 7 months ago

In UTF-16, code points U+010000 to U+10FFFF are encoded using 'surrogate pairs' where 32 bits are actually used. If a string is mostly emojis, that can end up larger than the len*2 bytes assumed padded_len. Convert the string to UTF-16 before allocating the extra buffer size so it will be correct.

monich commented 7 months ago

yes, indeed. I was able to write a unit test that catches out-of-range writes in master, e.g.

==70915== Invalid write of size 2
==70915==    at 0x48529E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==70915==    by 0x12C209: gbinder_writer_data_append_string16_len (gbinder_writer.c:542)
==70915==    by 0x12BFA6: gbinder_writer_append_string16_len (gbinder_writer.c:468)
==70915==    by 0x12BF5D: gbinder_writer_append_string16 (gbinder_writer.c:456)
==70915==    by 0x1157D4: test_string16 (unit_writer.c:550)
==70915==    by 0x4958AED: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x495880A: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x495880A: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x4958FE9: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x4959055: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x119A26: main (unit_writer.c:1625)
==70915==  Address 0x5112400 is 0 bytes after a block of size 16 alloc'd
==70915==    at 0x48487A9: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==70915==    by 0x4939D7F: g_realloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x48FEFF8: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x48FF58B: g_array_set_size (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x48FF87D: g_byte_array_set_size (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x12C16B: gbinder_writer_data_append_string16_len (gbinder_writer.c:528)
==70915==    by 0x12BFA6: gbinder_writer_append_string16_len (gbinder_writer.c:468)
==70915==    by 0x12BF5D: gbinder_writer_append_string16 (gbinder_writer.c:456)
==70915==    by 0x1157D4: test_string16 (unit_writer.c:550)
==70915==    by 0x4958AED: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x495880A: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)
==70915==    by 0x495880A: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4)