mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix buffer overruns in JsonWriter::put with UTF-8 values

Browse Source 
Change-Id: I694585a1a540bfefc0e59bd58d8033a96ca35acb
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122996
Tested-by: Jenkins
This commit is contained in:
Noel Grandin
2021-10-02 13:18:37 +02:00
committed by Michael Meeks
parent 897192f07c
commit 9946a2fef0
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
tools/source/misc/json_writer.cxx
View File

@@ -200,7 +200,10 @@ void JsonWriter::writeEscapedOUString(const OUString& rPropVal)
void JsonWriter::put(const char* pPropName, const OUString& rPropVal)
{
auto nPropNameLength = strlen(pPropName);
auto nWorstCasePropValLength = rPropVal.getLength() * 2;
// But values can be any UTF-8,
// see rtl_ImplGetFastUTF8ByteLen in sal/rtl/string.cxx for why a factor 3
// is the worst case
auto nWorstCasePropValLength = rPropVal.getLength() * 3;
ensureSpace(nPropNameLength + nWorstCasePropValLength + 8);
addCommaBeforeField();
@@ -220,8 +223,10 @@ void JsonWriter::put(const char* pPropName, const OUString& rPropVal)
void JsonWriter::put(const char* pPropName, const OString& rPropVal)
{
// we assume property names are ascii
auto nPropNameLength = strlen(pPropName);
auto nWorstCasePropValLength = rPropVal.getLength();
// escaping can double the length
auto nWorstCasePropValLength = rPropVal.getLength() * 2;
ensureSpace(nPropNameLength + nWorstCasePropValLength + 8);
addCommaBeforeField();
@@ -372,7 +377,7 @@ void JsonWriter::put(const char* pPropName, bool nPropVal)
void JsonWriter::putSimpleValue(const OUString& rPropVal)
{
auto nWorstCasePropValLength = rPropVal.getLength() * 2;
auto nWorstCasePropValLength = rPropVal.getLength() * 3;
ensureSpace(nWorstCasePropValLength + 4);
addCommaBeforeField();