libc: fix overflow of domain component rune buffer for idn2utf()

If the source string has a run of more than 256 runes without a "." dot, we'd overflow the runebuffer in idn2utf(). The utf2idn() routine had a check in the while loop, but that is actually wrong too, as it would insert a dot and restart the loop in the middle of a domain component. Just error out if a domain component is too long.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2021-10-31 12:39:46 +0000
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2021-10-31 12:39:46 +0000
commit: 9d15403fda575ab73c5501970fe3835265b05aee (patch)
tree: 9cb4def02ed32ac5429867cdec0866434890dba3 /sys/src/libc
parent: 7b4e3be27e510fd93f46c8a10375c509f868df92 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/src/libc/9sys/idn.c b/sys/src/libc/9sys/idn.c
index d3ad55dd8..ad05890a8 100644
--- a/sys/src/libc/9sys/idn.c
+++ b/sys/src/libc/9sys/idn.c
@@ -200,6 +200,8 @@ idn2utf(char *name, char *buf, int nbuf)
 			n = chartorune(&r, cp+nc);
 			if(r == '.')
 				break;
+			if(nr >= nelem(rb))
+				return -1;
 			rb[nr++] = r;
 			nc += n;
 		}
@@ -234,10 +236,12 @@ utf2idn(char *name, char *buf, int nbuf)
 	cp = name;
 	for(;;){
 		nc = nr = 0;
-		while(cp[nc] != 0 && nr < nelem(rb)){
+		while(cp[nc] != 0){
 			n = chartorune(&r, cp+nc);
 			if(r == '.')
 				break;
+			if(nr >= nelem(rb))
+				return -1;
 			rb[nr++] = r;
 			nc += n;
 		}
author	cinap_lenrek <cinap_lenrek@felloff.net>	2021-10-31 12:39:46 +0000
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2021-10-31 12:39:46 +0000
commit	9d15403fda575ab73c5501970fe3835265b05aee (patch)
tree	9cb4def02ed32ac5429867cdec0866434890dba3 /sys/src/libc
parent	7b4e3be27e510fd93f46c8a10375c509f868df92 (diff)