ref: 9d15403fda575ab73c5501970fe3835265b05aee
parent: 7b4e3be27e510fd93f46c8a10375c509f868df92
author: cinap_lenrek <[email protected]>
date: Sun Oct 31 08:39:46 EDT 2021
libc: fix overflow of domain component rune buffer for idn2utf() If the source string has a run of more than 256 runes without a "." dot, we'd overflow the runebuffer in idn2utf(). The utf2idn() routine had a check in the while loop, but that is actually wrong too, as it would insert a dot and restart the loop in the middle of a domain component. Just error out if a domain component is too long.
--- a/sys/src/libc/9sys/idn.c
+++ b/sys/src/libc/9sys/idn.c
@@ -200,6 +200,8 @@
n = chartorune(&r, cp+nc);
if(r == '.')
break;
+ if(nr >= nelem(rb))
+ return -1;
rb[nr++] = r;
nc += n;
}
@@ -234,10 +236,12 @@
cp = name;
for(;;){nc = nr = 0;
- while(cp[nc] != 0 && nr < nelem(rb)){+ while(cp[nc] != 0){n = chartorune(&r, cp+nc);
if(r == '.')
break;
+ if(nr >= nelem(rb))
+ return -1;
rb[nr++] = r;
nc += n;
}