Skip to content
This repository was archived by the owner on Aug 31, 2021. It is now read-only.

Commit 582d086

Browse files
committed
[[ Bug 20898 ]] Ensure malloc'd pointer is not incremented before free
1 parent b92eb44 commit 582d086

File tree

2 files changed

+11
-16
lines changed

2 files changed

+11
-16
lines changed

docs/notes/bugfix-20898.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
# Fix crash when converting from utf16 with revDataFromQuery

libexternal/src/osxsupport.cpp

Lines changed: 10 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -98,39 +98,33 @@ char *string_from_utf16(const unsigned short *p_utf16_string, int p_length)
9898
&s_unicode_converter);
9999
}
100100

101-
UniChar *s;
102-
s = (UniChar *)p_utf16_string;
103-
104-
int len;
105-
len = p_length * 2;
106-
107-
char *d;
108-
d = (char *)malloc(p_length);
109-
110-
int destlen;
111-
destlen = 0;
112-
101+
UniChar *s = (UniChar *)p_utf16_string;
102+
int len = p_length * 2;
103+
char *d = (char *)malloc(p_length);
104+
int destlen = 0;
113105
ByteCount processedbytes, outlength;
114-
106+
107+
// Use separate pointer to d string so that we can return the original d
108+
char *dptr = d;
115109
while(len > 1)
116110
{
117111
ConvertFromUnicodeToText(s_unicode_converter, len, (UniChar *)s,
118112
kUnicodeLooseMappingsMask
119113
| kUnicodeStringUnterminatedBit
120114
| kUnicodeUseFallbacksBit, 0, NULL, 0, NULL,
121115
p_length - destlen, &processedbytes,
122-
&outlength, (LogicalAddress)d);
116+
&outlength, (LogicalAddress)dptr);
123117
if (processedbytes == 0)
124118
{
125-
*d = '?';
119+
*dptr = '?';
126120
processedbytes = 2;
127121
outlength = 1;
128122
}
129123

130124
len -= processedbytes;
131125
destlen += outlength;
132126
s += processedbytes;
133-
d += outlength;
127+
dptr += outlength;
134128
}
135129

136130
return d;

0 commit comments

Comments
 (0)