[[ Bug 20898 ]] Ensure malloc'd pointer is not incremented before free

livecodeali · livecodeali · commit 582d0863e59b · 2018-02-21T23:06:15.000Z
diff --git a/docs/notes/bugfix-20898.md b/docs/notes/bugfix-20898.md
@@ -0,0 +1 @@
+# Fix crash when converting from utf16 with revDataFromQuery
diff --git a/libexternal/src/osxsupport.cpp b/libexternal/src/osxsupport.cpp
@@ -98,39 +98,33 @@ char *string_from_utf16(const unsigned short *p_utf16_string, int p_length)
 		                                  &s_unicode_converter);
 	}
 	
-	UniChar *s;
-	s = (UniChar *)p_utf16_string;
-
-	int len;
-	len = p_length * 2;
-
-	char *d;
-	d = (char *)malloc(p_length);
-
-	int destlen;
-	destlen = 0;
-
+	UniChar *s = (UniChar *)p_utf16_string;
+	int len = p_length * 2;
+	char *d = (char *)malloc(p_length);
+	int destlen = 0;
 	ByteCount processedbytes, outlength;
-
+    
+    // Use separate pointer to d string so that we can return the original d
+    char *dptr = d;
 	while(len > 1)
 	{
 		ConvertFromUnicodeToText(s_unicode_converter, len, (UniChar *)s,
 								 kUnicodeLooseMappingsMask
 								 | kUnicodeStringUnterminatedBit
 								 | kUnicodeUseFallbacksBit, 0, NULL, 0, NULL,
 								 p_length - destlen, &processedbytes,
-								 &outlength, (LogicalAddress)d);
+								 &outlength, (LogicalAddress)dptr);
 		if (processedbytes == 0)
 		{
-			*d = '?';
+			*dptr = '?';
 			processedbytes = 2;
 			outlength = 1;
 		}
 
 		len -= processedbytes;
 		destlen += outlength;
 		s += processedbytes;
-		d += outlength;
+		dptr += outlength;
 	}
 
 	return d;

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+# Fix crash when converting from utf16 with revDataFromQuery`