Fix buffer overflow bug in HZ text conversion code

alexdowad · alexdowad · commit 1f17b5468f1f · 2022-05-28T21:53:39.000+02:00
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_hz.c b/ext/mbstring/libmbfl/filters/mbfilter_hz.c
@@ -372,7 +372,7 @@ static void mb_wchar_to_hz(uint32_t *in, size_t len, mb_convert_buf *buf, bool e
 		} else if (s < 0x80) {
 			/* ASCII */
 			if (buf->state != ASCII) {
-				MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);
+				MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 3);
 				out = mb_convert_buf_add2(out, '~', '}');
 				buf->state = ASCII;
 			}
@@ -385,11 +385,12 @@ static void mb_wchar_to_hz(uint32_t *in, size_t len, mb_convert_buf *buf, bool e
 		} else {
 			/* GB 2312-80 */
 			if (buf->state != GB2312) {
-				MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);
+				MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 4);
 				out = mb_convert_buf_add2(out, '~', '{');
 				buf->state = GB2312;
+			} else {
+				MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);
 			}
-			MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);
 			out = mb_convert_buf_add2(out, (s >> 8) & 0x7F, s & 0x7F);
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -372,7 +372,7 @@ static void mb_wchar_to_hz(uint32_t in, size_t len, mb_convert_buf buf, bool e`
`372`	`372`	`} else if (s < 0x80) {`
`373`	`373`	`/* ASCII */`
`374`	`374`	`if (buf->state != ASCII) {`
`375`		`- MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);`
	`375`	`+ MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 3);`
`376`	`376`	`out = mb_convert_buf_add2(out, '~', '}');`
`377`	`377`	`buf->state = ASCII;`
`378`	`378`	`}`
`@@ -385,11 +385,12 @@ static void mb_wchar_to_hz(uint32_t in, size_t len, mb_convert_buf buf, bool e`
`385`	`385`	`} else {`
`386`	`386`	`/* GB 2312-80 */`
`387`	`387`	`if (buf->state != GB2312) {`
`388`		`- MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);`
	`388`	`+ MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 4);`
`389`	`389`	`out = mb_convert_buf_add2(out, '~', '{');`
`390`	`390`	`buf->state = GB2312;`
	`391`	`+ } else {`
	`392`	`+ MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);`
`391`	`393`	`}`
`392`		`- MB_CONVERT_BUF_ENSURE(buf, out, limit, len + 2);`
`393`	`394`	`out = mb_convert_buf_add2(out, (s >> 8) & 0x7F, s & 0x7F);`
`394`	`395`	`}`
`395`	`396`	`}`