cygwin wcsxfrm: byte swap result ourselves
Workaround a bug (or undocumented behaviour) in LCMapStringW: It's documented(*) that the cchDest parameter is a byte count with LCMAP_SORTKEY, but a character count otherwise. But the docs don't state what happens if you combine LCMAP_SORTKEY with LCMAP_BYTEREV. Tests indicate that LCMAP_SORTKEY treats cchDest as byte count, but then LCMAP_BYTEREV treats it as char count in the same call. So the latter swaps twice as much bytes in the destination buffer than the byte count it returns, which potentially results in writing past the end of the given output buffer. Solution: Don't specify LCMAP_BYTEREV in the LCMapStringW(LCMAP_SORTKEY) call, rather byte swap afterwards. (*) https://msdn.microsoft.com/en-us/library/windows/desktop/dd318702(v=vs.85).aspx Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
parent
780503f6ac
commit
c0d7d3e1a2
@ -1196,15 +1196,21 @@ wcsxfrm_l (wchar_t *__restrict ws1, const wchar_t *__restrict ws2, size_t wsn,
|
||||
|
||||
if (!collate_lcid)
|
||||
return wcslcpy (ws1, ws2, wsn);
|
||||
ret = LCMapStringW (collate_lcid, LCMAP_SORTKEY | LCMAP_BYTEREV,
|
||||
ws2, -1, ws1, wsn * sizeof (wchar_t));
|
||||
/* LCMapStringW returns byte count including the terminating NUL character,
|
||||
wcsxfrm is supposed to return length in wchar_t excluding the NUL.
|
||||
Since the array is only single byte NUL-terminated we must make sure
|
||||
the result is wchar_t-NUL terminated. */
|
||||
/* Don't use LCMAP_SORTKEY in conjunction with LCMAP_BYTEREV. The cchDest
|
||||
parameter is used as byte count with LCMAP_SORTKEY but as char count with
|
||||
LCMAP_BYTEREV. */
|
||||
ret = LCMapStringW (collate_lcid, LCMAP_SORTKEY, ws2, -1, ws1,
|
||||
wsn * sizeof (wchar_t));
|
||||
if (ret)
|
||||
{
|
||||
ret /= sizeof (wchar_t);
|
||||
/* Byte swap the array ourselves here. */
|
||||
for (size_t idx = 0; idx < ret; ++idx)
|
||||
ws1[idx] = __builtin_bswap16 (ws1[idx]);
|
||||
/* LCMapStringW returns byte count including the terminating NUL char.
|
||||
wcsxfrm is supposed to return length in wchar_t excluding the NUL.
|
||||
Since the array is only single byte NUL-terminated yet, make sure
|
||||
the result is wchar_t-NUL terminated. */
|
||||
if (ret < wsn)
|
||||
ws1[ret] = L'\0';
|
||||
return ret;
|
||||
@ -1213,8 +1219,7 @@ wcsxfrm_l (wchar_t *__restrict ws1, const wchar_t *__restrict ws2, size_t wsn,
|
||||
set_errno (EINVAL);
|
||||
else
|
||||
{
|
||||
ret = LCMapStringW (collate_lcid, LCMAP_SORTKEY | LCMAP_BYTEREV, ws2, -1,
|
||||
NULL, 0);
|
||||
ret = LCMapStringW (collate_lcid, LCMAP_SORTKEY, ws2, -1, NULL, 0);
|
||||
if (ret)
|
||||
wsn = ret / sizeof (wchar_t);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user