From 2341cef6e98166977ee4f89cf1c3992a68cb3b4a Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Thu, 11 Mar 2021 19:34:53 +0900 Subject: Prevent index overflow due to tag_map in libwc Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31936 --- libwc/ucs.c | 6 +++--- libwc/ucs.h | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libwc/ucs.c b/libwc/ucs.c index 18c3a67..5d110f3 100644 --- a/libwc/ucs.c +++ b/libwc/ucs.c @@ -677,9 +677,9 @@ wc_ucs_put_tag(char *p) if (!strcasecmp(p, tag_map[i])) return i; } - n_tag_map++; - if (n_tag_map == MAX_TAG_MAP) + if (n_tag_map + 1 >= MAX_TAG_MAP) return 0; + n_tag_map++; tag_map[n_tag_map] = p; return n_tag_map; } @@ -687,7 +687,7 @@ wc_ucs_put_tag(char *p) char * wc_ucs_get_tag(int ntag) { - if (ntag == 0 || ntag > n_tag_map) + if (ntag <= 0 || ntag > n_tag_map) return NULL; return tag_map[ntag]; } diff --git a/libwc/ucs.h b/libwc/ucs.h index 261351e..3a721a9 100644 --- a/libwc/ucs.h +++ b/libwc/ucs.h @@ -25,8 +25,8 @@ #define WC_C_UCS4_PLANE3 0x30000 #define wc_ucs_tag_to_ucs(c) ((c) & WC_C_UNICODE_MASK) -#define wc_ucs_tag_to_tag(c) ((c) >> 24) -#define wc_ucs_to_ucs_tag(c,tag) ((c) | ((tag) << 24)) +#define wc_ucs_tag_to_tag(c) (((c) >> 24) & 0xff) +#define wc_ucs_to_ucs_tag(c,tag) ((c) | ((wc_uint32)((tag) & 0xff) << 24)) #define wc_ccs_ucs_to_ccs_ucs_tag(ccs) (WC_CCS_UCS_TAG | ((ccs) & ~WC_CCS_A_SET)) #define wc_ucs_to_utf16(ucs) \ ((((((ucs) - WC_C_UCS4_PLANE1) >> 10) | WC_C_UCS2_SURROGATE) << 16) \ -- cgit v1.2.3