summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJessica Hamilton <jessica.l.hamilton@gmail.com>2017-01-11 12:20:31 (GMT)
committerJessica Hamilton <jessica.l.hamilton@gmail.com>2017-01-11 14:33:04 (GMT)
commit079ab7f0b101bc237633490cb8964f7991bedf6a (patch)
tree5b7b3a3a96b36dee5856677c88c0bde05b148d2f
parent4d83a710f5cd775ec282f8dd28c22a460cdc05b0 (diff)
ICU add-on: validate mbState->converter before attempting to close.
This resolves crashes in gawk with multibyte support. Fixes #12515, #13103.
-rw-r--r--src/system/libroot/add-ons/icu/ICUCtypeData.cpp7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/system/libroot/add-ons/icu/ICUCtypeData.cpp b/src/system/libroot/add-ons/icu/ICUCtypeData.cpp
index 9fd3ff2..6eed437 100644
--- a/src/system/libroot/add-ons/icu/ICUCtypeData.cpp
+++ b/src/system/libroot/add-ons/icu/ICUCtypeData.cpp
@@ -551,8 +551,13 @@ ICUCtypeData::_GetConverterForMbState(mbstate_t* mbState,
status_t
ICUCtypeData::_DropConverterFromMbState(mbstate_t* mbState)
{
- if (mbState->converter != NULL)
+ if (mbState->converter != NULL && (char*)mbState->converter >= mbState->data
+ && (char*)mbState->converter < mbState->data + 8) {
+ // check that the converter actually lives in *this* mbState,
+ // otherwise we risk freeing a converter that doesn't belong to us;
+ // this parallels the check in _GetConverterForMbState()
ucnv_close((UConverter*)mbState->converter);
+ }
memset(mbState, 0, sizeof(mbstate_t));
return B_OK;