aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2016-12-16 14:42:41 +0000
committerRichard van der Hoff <richard@matrix.org>2016-12-16 14:42:41 +0000
commit8e554ab5ef5a17c7eb271000217e036be07d88db (patch)
treee53c21d74558b47c7c20238d75d814273b399a82
parent7fd63bcac7110abd5a1eef927abc3184da68a35c (diff)
Avoid buffer overrun on encryption
Make sure we null-terminate encrypted strings before passing them to UTF8ToString. This used to work when we allocated the buffer on the stack, because it turns out that allocate() zeroinits the returned memory. malloc(), of course, does not.
-rw-r--r--javascript/olm_outbound_group_session.js8
-rw-r--r--javascript/olm_post.js8
2 files changed, 16 insertions, 0 deletions
diff --git a/javascript/olm_outbound_group_session.js b/javascript/olm_outbound_group_session.js
index 0402c3c..24ea644 100644
--- a/javascript/olm_outbound_group_session.js
+++ b/javascript/olm_outbound_group_session.js
@@ -83,6 +83,14 @@ OutboundGroupSession.prototype['encrypt'] = function(plaintext) {
plaintext_buffer, plaintext_length,
message_buffer, message_length
);
+
+ // UTF8ToString requires a null-terminated argument, so add the
+ // null terminator.
+ Module['setValue'](
+ message_buffer+message_length,
+ 0, "i8"
+ );
+
return Module['UTF8ToString'](message_buffer);
} finally {
if (plaintext_buffer !== undefined) {
diff --git a/javascript/olm_post.js b/javascript/olm_post.js
index 3e80c0b..65eab02 100644
--- a/javascript/olm_post.js
+++ b/javascript/olm_post.js
@@ -335,6 +335,14 @@ Session.prototype['encrypt'] = restore_stack(function(
random, random_length,
message_buffer, message_length
);
+
+ // UTF8ToString requires a null-terminated argument, so add the
+ // null terminator.
+ Module['setValue'](
+ message_buffer+message_length,
+ 0, "i8"
+ );
+
return {
"type": message_type,
"body": Module['UTF8ToString'](message_buffer),