From patchwork Tue Apr 12 23:46:08 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mauro Carvalho Chehab <mchehab@redhat.com>
X-Patchwork-Id: 702341
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p3CNkFJ8004425
	for <patchwork-media@patchwork.kernel.org>;
	Tue, 12 Apr 2011 23:46:16 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757267Ab1DLXqN (ORCPT
	<rfc822;patchwork-media@patchwork.kernel.org>);
	Tue, 12 Apr 2011 19:46:13 -0400
Received: from mx1.redhat.com ([209.132.183.28]:5442 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1757115Ab1DLXqN (ORCPT <rfc822;linux-media@vger.kernel.org>);
	Tue, 12 Apr 2011 19:46:13 -0400
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p3CNkADE020471
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 12 Apr 2011 19:46:10 -0400
Received: from [10.11.8.34] (vpn-8-34.rdu.redhat.com [10.11.8.34])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id p3CNk9qN028062; Tue, 12 Apr 2011 19:46:09 -0400
Message-ID: <4DA4E440.7090008@redhat.com>
Date: Tue, 12 Apr 2011 20:46:08 -0300
From: Mauro Carvalho Chehab <mchehab@redhat.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.13) Gecko/20101208 Red Hat/3.1.7-3.el6_0
	Thunderbird/3.1.7
MIME-Version: 1.0
To: Linux Media Mailing List <linux-media@vger.kernel.org>,
	wk <handygewinnspiel@gmx.de>
Subject: [PATCH dvb-apps] Avoid buffer overflow with UTF-8 32-bit strings
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]);
	Tue, 12 Apr 2011 23:46:16 +0000 (UTC)

As Winfried <handygewinnspiel@gmx.de> pointed, me UTF-8 can have up to 
32 bits.

Also, someone might want to convert data to UCS-4, So, the buffer need to 
have 4 bytes per char, to be safe.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/util/scan/scan.c b/util/scan/scan.c
--- a/util/scan/scan.c
+++ b/util/scan/scan.c
@@ -884,7 +884,7 @@ static void descriptorcpy(char **dest, c
 	 * Destination length should be bigger. As the worse case seems to
 	 * use 3 chars for one code, use it for destlen
 	 */
-	destlen = len * 3;
+	destlen = len * 4;
 	*dest = malloc(destlen + 1);
 
 	/* Remove special chars */