We're updating the issue view to help you get more done. 

overflow of static ‘plugin_file’ in uplug_init()

Description

The uplug_init() function may write overflow the static ‘plugin_file’ string if a long ‘ICU_PLUGINS’ environment variable is specified.

In uplug_init() there are several calls to concatenate strings to ‘plugin_file’:

1 2 3 4 5 uprv_strncpy(plugin_file, plugin_dir, 2047); uprv_strncat(plugin_file, U_FILE_SEP_STRING,2047); uprv_strncat(plugin_file, "icuplugins",2047); uprv_strncat(plugin_file, U_ICU_VERSION_SHORT ,2047); uprv_strncat(plugin_file, ".txt" ,2047);

The numeric length bounds provided to uprv_strncat (wraps strncat) only limit the lengths of the second argument strings; the length arguments do not prevent strncat from overflowing the fixed size ‘plugin_file’ buffer.

Test (running a unit test):

1 ICU_PLUGINS=`printf "%0.s-" {1..2040}` DYLD_LIBRARY_PATH=lib:stubdata:tools/ctestfw:$DYLD_LIBRARY_PATH test/intltest/intltest "-E/Users/aaron/src/icu/source/test/tmp/status.52198.deleteme.intltest"

Output:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ----------------------------------------------- IntlTest (C++) Test Suite for International Components for Unicode 53.1 Bits: 64, Byte order: Little endian, Chars: ASCII ----------------------------------------------- Options: all (a) : On Verbose (v) : Off No error messages (n) : Off Exhaustive (e) : Off Leaks (l) : Off utf-8 (u) : Off notime (T) : Off noknownissues (K) : Off Warn on missing data (w) : Off Threads : 1 ----------------------------------------------- Abort trap: 6

Environment

Status

Assignee

Steven R. Loomis

Reporter

TracBot

tracCc

pedberg

tracCreated

May 07, 2014, 11:08 PM

tracOwner

srl

tracProject

ICU4C

tracReporter

aaron.staple@f74d39fa044aa309

tracResolution

fixed

tracReviewer

andy

tracStatus

closed

Components

Fix versions

Priority

critical