[Libreoffice-commits] core.git: tools/source

Noel Grandin (via logerrit) logerrit at kemper.freedesktop.org
Sat Oct 2 20:36:50 UTC 2021 

 tools/source/misc/json_writer.cxx |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

New commits:
commit 9946a2fef07840ff4ca842928afbeeb52ece3603
Author:     Noel Grandin <noelgrandin at gmail.com>
AuthorDate: Sat Oct 2 13:18:37 2021 +0200
Commit:     Michael Meeks <michael.meeks at collabora.com>
CommitDate: Sat Oct 2 22:36:17 2021 +0200

    fix buffer overruns in JsonWriter::put with UTF-8 values
    
    Change-Id: I694585a1a540bfefc0e59bd58d8033a96ca35acb
    Signed-off-by: Michael Meeks <michael.meeks at collabora.com>
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122996
    Tested-by: Jenkins

diff --git a/tools/source/misc/json_writer.cxx b/tools/source/misc/json_writer.cxx
index f002ddc391aa..30ad911f9754 100644
--- a/tools/source/misc/json_writer.cxx
+++ b/tools/source/misc/json_writer.cxx
@@ -200,7 +200,10 @@ void JsonWriter::writeEscapedOUString(const OUString& rPropVal)
 void JsonWriter::put(const char* pPropName, const OUString& rPropVal)
 {
     auto nPropNameLength = strlen(pPropName);
-    auto nWorstCasePropValLength = rPropVal.getLength() * 2;
+    // But values can be any UTF-8,
+    // see rtl_ImplGetFastUTF8ByteLen in sal/rtl/string.cxx for why a factor 3
+    // is the worst case
+    auto nWorstCasePropValLength = rPropVal.getLength() * 3;
     ensureSpace(nPropNameLength + nWorstCasePropValLength + 8);
 
     addCommaBeforeField();
@@ -220,8 +223,10 @@ void JsonWriter::put(const char* pPropName, const OUString& rPropVal)
 
 void JsonWriter::put(const char* pPropName, const OString& rPropVal)
 {
+    // we assume property names are ascii
     auto nPropNameLength = strlen(pPropName);
-    auto nWorstCasePropValLength = rPropVal.getLength();
+    // escaping can double the length
+    auto nWorstCasePropValLength = rPropVal.getLength() * 2;
     ensureSpace(nPropNameLength + nWorstCasePropValLength + 8);
 
     addCommaBeforeField();
@@ -372,7 +377,7 @@ void JsonWriter::put(const char* pPropName, bool nPropVal)
 
 void JsonWriter::putSimpleValue(const OUString& rPropVal)
 {
-    auto nWorstCasePropValLength = rPropVal.getLength() * 2;
+    auto nWorstCasePropValLength = rPropVal.getLength() * 3;
     ensureSpace(nWorstCasePropValLength + 4);
 
     addCommaBeforeField();

More information about the Libreoffice-commits mailing list