We're updating the issue view to help you get more done. 

AIX core dump in _strToWCS when the length of the input WString is 1000

Description

(1) call u_strTOWCS with the input Wstring and its length =1000
(2) u_starToWCS will call u_strTOWCS
(3) u_strTOWCS will call _strToWCS
(4) inside _strToWCS (ustrtrns.c)
ucnv_fromUnicode(conv,&target,targetlimit,&src,srclimit,NULL,FALSE,&retcode)

where src contains 1000 Wchar string
srclimit = src + 1000

(6)the retcode is U_BUFFER_OVERFLOW_ERROR from uncv_fromUnicode
srcLimit - src = 2 (???????)

(7) call u_growAnyBufferFromStatic(context,pBuffer, pCapacity, ReqCapacity,
length, size)
where ReqCapacity is (2*(srcLimit-src)+100) = 104

(8) inside u_growAnyBufferFromStatic (ustrtrns.c)

newBuffer = uprv_malloc(ReqCapacity*size); /* allocate 104 bytes */
if (length>0) /* length = 1000 */
uprv_memcpy(newBuffer, PBuffer, length*size); / length*size =1000 */

  •  

    •  

      •  

        • uppr_malloc only allocate 104 bytes buffer and uprv_memcpy was trying to

copy 1000 bytes into this 104-bytes buffer and that caused core dump

  •  

    •  

      • This problem ONLY occurred when the request is sent from WINDOW client
        to AIX server. It is working from AIX client to AIX server.

Status

Assignee

TracBot

Reporter

TracBot

Labels

Components

Fix versions

Priority

critical