#581 Out-of-bound array access in Unicode::properties() function.

Documentation
closed
nobody
5
2012-11-18
2012-09-07
zyzstar
No

Unicode::properties() function from "Foundation/src/Unicode.cpp" does not properly check for invalid values passed as "ch" parameter. This function is used internally by several popular functions such as Unicode::toLower(), Unicode::isAlpha() etc. This problem makes these functions vulnerable to crash when fed by untrusted user data.

The value of "ch" variable is directly passed into pcre GET_UCD macro. But this macro expect value of "ch" to be always less than 1114112.

See "pcre_internal.h" and "_pcre_ucd_stage1" array in "pcre_ucd.c".

One way to fix this problem is to put

if (ch >= 1114112) ch = 0;

in front of Unicode::properties() function. I'm sure one can devise a more systematic fix.

Discussion

  • fixed in 1.4.5

     
    • status: open --> pending
    • milestone: --> Documentation
     
    • status: pending --> closed