From 9946a2fef07840ff4ca842928afbeeb52ece3603 Mon Sep 17 00:00:00 2001 From: Noel Grandin Date: Sat, 2 Oct 2021 13:18:37 +0200 Subject: fix buffer overruns in JsonWriter::put with UTF-8 values Change-Id: I694585a1a540bfefc0e59bd58d8033a96ca35acb Signed-off-by: Michael Meeks Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122996 Tested-by: Jenkins --- tools/source/misc/json_writer.cxx | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'tools/source') diff --git a/tools/source/misc/json_writer.cxx b/tools/source/misc/json_writer.cxx index f002ddc391aa..30ad911f9754 100644 --- a/tools/source/misc/json_writer.cxx +++ b/tools/source/misc/json_writer.cxx @@ -200,7 +200,10 @@ void JsonWriter::writeEscapedOUString(const OUString& rPropVal) void JsonWriter::put(const char* pPropName, const OUString& rPropVal) { auto nPropNameLength = strlen(pPropName); - auto nWorstCasePropValLength = rPropVal.getLength() * 2; + // But values can be any UTF-8, + // see rtl_ImplGetFastUTF8ByteLen in sal/rtl/string.cxx for why a factor 3 + // is the worst case + auto nWorstCasePropValLength = rPropVal.getLength() * 3; ensureSpace(nPropNameLength + nWorstCasePropValLength + 8); addCommaBeforeField(); @@ -220,8 +223,10 @@ void JsonWriter::put(const char* pPropName, const OUString& rPropVal) void JsonWriter::put(const char* pPropName, const OString& rPropVal) { + // we assume property names are ascii auto nPropNameLength = strlen(pPropName); - auto nWorstCasePropValLength = rPropVal.getLength(); + // escaping can double the length + auto nWorstCasePropValLength = rPropVal.getLength() * 2; ensureSpace(nPropNameLength + nWorstCasePropValLength + 8); addCommaBeforeField(); @@ -372,7 +377,7 @@ void JsonWriter::put(const char* pPropName, bool nPropVal) void JsonWriter::putSimpleValue(const OUString& rPropVal) { - auto nWorstCasePropValLength = rPropVal.getLength() * 2; + auto nWorstCasePropValLength = rPropVal.getLength() * 3; ensureSpace(nWorstCasePropValLength + 4); addCommaBeforeField(); -- cgit