xnu-1504.9.37.tar.gz

[apple/xnu.git] / bsd / hfs / hfs_encodings.c

diff --git a/bsd/hfs/hfs_encodings.c b/bsd/hfs/hfs_encodings.c
index bc644b39d1b6bc2e96058b9b435c573bed8473c3..4a67567b26ea60c03409972eba605d3319f9f307 100644 (file)
--- a/bsd/hfs/hfs_encodings.c
+++ b/bsd/hfs/hfs_encodings.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2010 Apple Computer, Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -239,8 +239,20 @@ hfs_to_utf8(ExtendedVCB *vcb, const Str31 hfs_str, ByteCount maxDstLen, ByteCoun
        UniChar uniStr[MAX_HFS_UNICODE_CHARS];
        ItemCount uniCount;
        size_t utf8len;
+       u_int8_t pascal_length = 0;
        hfs_to_unicode_func_t hfs_get_unicode = VCBTOHFS(vcb)->hfs_get_unicode;
 
+       /* 
+        * Validate the length of the Pascal-style string before passing it
+        * down to the decoding engine.
+        */
+       pascal_length = *((const u_int8_t*)(hfs_str));
+       if (pascal_length > 31) {
+               /* invalid string; longer than 31 bytes */
+               error = EINVAL;
+               return error;
+       }       
+
        error = hfs_get_unicode(hfs_str, uniStr, MAX_HFS_UNICODE_CHARS, &uniCount);
        
        if (uniCount == 0)
@@ -269,6 +281,18 @@ mac_roman_to_utf8(const Str31 hfs_str, ByteCount maxDstLen, ByteCount *actualDst
        UniChar uniStr[MAX_HFS_UNICODE_CHARS];
        ItemCount uniCount;
        size_t utf8len;
+       u_int8_t pascal_length = 0;
+
+       /* 
+        * Validate the length of the Pascal-style string before passing it
+        * down to the decoding engine.
+        */
+       pascal_length = *((const u_int8_t*)(hfs_str));
+       if (pascal_length > 31) {
+               /* invalid string; longer than 31 bytes */
+               error = EINVAL;
+               return error;
+       }       
 
        error = mac_roman_to_unicode(hfs_str, uniStr, MAX_HFS_UNICODE_CHARS, &uniCount);