buffer overflow possible in CNI string-handling code?

Tom Tromey tromey@redhat.com
Mon Mar 11 14:42:00 GMT 2002

• Previous message (by thread): buffer overflow possible in CNI string-handling code?
• Next message (by thread): buffer overflow possible in CNI string-handling code?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

>>>>> "Adam" == Adam Megacz <gcj@lists.megacz.com> writes:

Adam> char buf2[text->length() + 1];
Adam> buf2[text->length()] = '0円';
Adam> JvGetStringUTFRegion(text, 0, text->length(), buf2);
This code has a bug. text->length() is the length in characters.
These don't map directly onto UTF-8 bytes.
You must use JvGetStringUTFLength to find the length in bytes.
This is because UTF-8 is a variable-length encoding. A single Unicode
character, represented in UTF-8, can take from 1 to 5 (or is it 6?)
bytes.
Adam> If a malicious user sends a huge string for 'text'1, will the
Adam> allocation of buf2 notice that text->length() > stacksize, and
Adam> refuse to proceed (either a crash or an exception is
Adam> acceptable)?.
Assuming you use JvGetStringUTFLength, you'll get a crash, I think.
Eventually our goal is that you'll get StackOverflowError.
Tom

---

• Previous message (by thread): buffer overflow possible in CNI string-handling code?
• Next message (by thread): buffer overflow possible in CNI string-handling code?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Java mailing list