Prevent buffer overruns when converting malformed UTF16 to UTF8. Ticket #3482. (CVS 5869)

FossilOrigin-Name: 3f657e88767f60d305dd6151e7aa54363341d052
author: drh <drh@noemail.net> 2008-11-07 03:29:33 +0000
committer: drh <drh@noemail.net> 2008-11-07 03:29:33 +0000
commit: bbf695d6ead1f517d9331dd7476c81b98c63f521 (patch)
tree: 90b298b053b8509a726f57aaf826dbb8477b39eb /src
parent: 98c58356aebe4447a43d3c4c17beabbd300b0fdc (diff)
download: sqlite-bbf695d6ead1f517d9331dd7476c81b98c63f521.tar.gz
sqlite-bbf695d6ead1f517d9331dd7476c81b98c63f521.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/utf.c b/src/utf.c
index 2071419b2..5b23d37fa 100644
--- a/src/utf.c
+++ b/src/utf.c
@@ -12,7 +12,7 @@
 ** This file contains routines used to translate between UTF-8, 
 ** UTF-16, UTF-16BE, and UTF-16LE.
 **
-** $Id: utf.c,v 1.65 2008/08/12 15:04:59 danielk1977 Exp $
+** $Id: utf.c,v 1.66 2008/11/07 03:29:34 drh Exp $
 **
 ** Notes on UTF-8:
 **
@@ -226,7 +226,7 @@ int sqlite3VdbeMemTranslate(Mem *pMem, u8 desiredEnc){
       return SQLITE_NOMEM;
     }
     zIn = (u8*)pMem->z;
-    zTerm = &zIn[pMem->n];
+    zTerm = &zIn[pMem->n&~1];
     while( zIn<zTerm ){
       temp = *zIn;
       *zIn = *(zIn+1);
@@ -244,6 +244,7 @@ int sqlite3VdbeMemTranslate(Mem *pMem, u8 desiredEnc){
     ** A single byte is required for the output string
     ** nul-terminator.
     */
+    pMem->n &= ~1;
     len = pMem->n * 2 + 1;
   }else{
     /* When converting from UTF-8 to UTF-16 the maximum growth is caused
author	drh <drh@noemail.net>	2008-11-07 03:29:33 +0000
committer	drh <drh@noemail.net>	2008-11-07 03:29:33 +0000
commit	bbf695d6ead1f517d9331dd7476c81b98c63f521 (patch)
tree	90b298b053b8509a726f57aaf826dbb8477b39eb /src
parent	98c58356aebe4447a43d3c4c17beabbd300b0fdc (diff)
download	sqlite-bbf695d6ead1f517d9331dd7476c81b98c63f521.tar.gz sqlite-bbf695d6ead1f517d9331dd7476c81b98c63f521.zip