aboutsummaryrefslogtreecommitdiff
path: root/javascript
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2016-12-16 14:42:41 +0000
committerRichard van der Hoff <richard@matrix.org>2016-12-16 14:42:41 +0000
commit8e554ab5ef5a17c7eb271000217e036be07d88db (patch)
treee53c21d74558b47c7c20238d75d814273b399a82 /javascript
parent7fd63bcac7110abd5a1eef927abc3184da68a35c (diff)
Avoid buffer overrun on encryption
Make sure we null-terminate encrypted strings before passing them to UTF8ToString. This used to work when we allocated the buffer on the stack, because it turns out that allocate() zeroinits the returned memory. malloc(), of course, does not.
Diffstat (limited to 'javascript')
-rw-r--r--javascript/olm_outbound_group_session.js8
-rw-r--r--javascript/olm_post.js8
2 files changed, 16 insertions, 0 deletions
diff --git a/javascript/olm_outbound_group_session.js b/javascript/olm_outbound_group_session.js
index 0402c3c..24ea644 100644
--- a/javascript/olm_outbound_group_session.js
+++ b/javascript/olm_outbound_group_session.js
@@ -83,6 +83,14 @@ OutboundGroupSession.prototype['encrypt'] = function(plaintext) {
plaintext_buffer, plaintext_length,
message_buffer, message_length
);
+
+ // UTF8ToString requires a null-terminated argument, so add the
+ // null terminator.
+ Module['setValue'](
+ message_buffer+message_length,
+ 0, "i8"
+ );
+
return Module['UTF8ToString'](message_buffer);
} finally {
if (plaintext_buffer !== undefined) {
diff --git a/javascript/olm_post.js b/javascript/olm_post.js
index 3e80c0b..65eab02 100644
--- a/javascript/olm_post.js
+++ b/javascript/olm_post.js
@@ -335,6 +335,14 @@ Session.prototype['encrypt'] = restore_stack(function(
random, random_length,
message_buffer, message_length
);
+
+ // UTF8ToString requires a null-terminated argument, so add the
+ // null terminator.
+ Module['setValue'](
+ message_buffer+message_length,
+ 0, "i8"
+ );
+
return {
"type": message_type,
"body": Module['UTF8ToString'](message_buffer),