Opened 18 years ago
Last modified 18 years ago
#839 closed bug
mutlpile utf-8 string vulnerabilities — at Initial Version
| Reported by: | marcusoverhagen | Owned by: | axeld |
|---|---|---|---|
| Priority: | normal | Milestone: | R1 |
| Component: | Kits/Interface Kit | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Multiple UTF-8 functions are unsave and vulnerable to denial of service attacks or buffer overflow attacks.
This includes:
count_utf8_bytes UTF8CountBytes UTF8CountChars UTF8ToCharCode UTF8ToLength
It is dangerous to look only at the first byte to determine how long an character sequence is. A malformed sequence can be used to skip a string's terminating zero byte.
Example (2 bytes and terminating zero):
0xE0 0x81 0x00
The first byte tells that it's 3 bytes long, and the above mentioned functions will skip the terminating zero.
Note:
See TracTickets
for help on using tickets.
