!298 CVE-2020-28928 安全漏洞修

Merge pull request !298 from xuxinyu/fixwcsnrtombs

!298 CVE-2020-28928 安全漏洞修
Merge pull request !298 from xuxinyu/fixwcsnrtombs
a4b34804 · openharmony_ci · Gitee · e5222942 · a7fc0749 · a4b34804
隐藏空白更改
内联并排

Showing with 19 addition and 27 deletion

src/multibyte/wcsnrtombs.c src/multibyte/wcsnrtombs.c +19 -27

未找到文件。
--- a/src/multibyte/wcsnrtombs.c
+++ b/src/multibyte/wcsnrtombs.c
 #include <wchar.h>
+#include <limits.h>
+#include <string.h>
 size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st)
 {
-	size_t l, cnt=0, n2;
-	char *s, buf[256];
 	const wchar_t *ws = *wcs;
-	const wchar_t *tmp_ws;
+	size_t cnt = 0;
+	if (!dst) n=0;
-	if (!dst) s = buf, n = sizeof buf;
+	while (ws && wn) {
-	else s = dst;
+		char tmp[MB_LEN_MAX];
+		size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0);
-	while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) {
+		if (l==-1) {
-		if (n2>=n) n2=n;
+			cnt = -1;
-		tmp_ws = ws;
-		l = wcsrtombs(s, &ws, n2, 0);
-		if (!(l+1)) {
-			cnt = l;
-			n = 0;
 			break;
 		}
-		if (s != buf) {
+		if (dst) {
-			s += l;
+			if (n<MB_LEN_MAX) {
+				if (l>n) break;
+				memcpy(dst, tmp, l);
+			}
+			dst += l;
 			n -= l;
 		}
-		wn = ws ? wn - (ws - tmp_ws) : 0;
+		if (!*ws) {
-		cnt += l;
+			ws = 0;
-	}
-	if (ws) while (n && wn) {
-		l = wcrtomb(s, *ws, 0);
-		if ((l+1)<=1) {
-			if (!l) ws = 0;
-			else cnt = l;
 			break;
 		}
-		ws++; wn--;
+		ws++;
-		/* safe - this loop runs fewer than sizeof(buf) times */
+		wn--;
-		s+=l; n-=l;
 		cnt += l;
 	}
 	if (dst) *wcs = ws;