Bug 869262: AppendAVA() should pass the the minimum of avaValue->len and
authorWan-Teh Chang <wtc@google.com>
Mon, 13 May 2013 16:12:33 -0700
changeset 10774 edfcd816acafb25b4d7d7d491fcc7fd51237f4e2
parent 10773 c88025643daf7f81164a46b697c47d9a4682f31b
child 10775 7033d1286a5f9c05ec8419e4149e491ae4e6bb11
push id83
push userwtc@google.com
push dateMon, 13 May 2013 23:12:37 +0000
bugs869262
Bug 869262: AppendAVA() should pass the the minimum of avaValue->len and valueLen to escapeAndQuote() to avoid reading beyond the end of the avaValue->data buffer. r=sleevi.
lib/certdb/alg1485.c
--- a/lib/certdb/alg1485.c
+++ b/lib/certdb/alg1485.c
@@ -1031,18 +1031,20 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava,
 	}
 	rv = SECSuccess;
     } else if (!truncateValue) {
 	rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen, 
 			    (char *)avaValue->data, avaValue->len, &mode);
     } else {
 	/* must truncate the escaped and quoted value */
 	char bigTmpBuf[TMPBUF_LEN * 3 + 3];
+	PORT_Assert(valueLen < sizeof tmpBuf);
 	rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf,
-			    (char *)avaValue->data, valueLen, &mode);
+			    (char *)avaValue->data,
+			    PR_MIN(avaValue->len, valueLen), &mode);
 
 	bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
 	/* See if we're in the middle of a multi-byte UTF8 character */
 	while (((bigTmpBuf[valueLen] & 0xc0) == 0x80) && valueLen > 0) {
 	    bigTmpBuf[valueLen--] = '\0';
 	}
 	/* add ellipsis to signify truncation. */
 	bigTmpBuf[++valueLen] = '.';