diff options
author | Richard van der Hoff <richard@matrix.org> | 2016-12-16 14:42:41 +0000 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2016-12-16 14:42:41 +0000 |
commit | 8e554ab5ef5a17c7eb271000217e036be07d88db (patch) | |
tree | e53c21d74558b47c7c20238d75d814273b399a82 /javascript | |
parent | 7fd63bcac7110abd5a1eef927abc3184da68a35c (diff) |
Avoid buffer overrun on encryption
Make sure we null-terminate encrypted strings before passing them to
UTF8ToString.
This used to work when we allocated the buffer on the stack, because it turns
out that allocate() zeroinits the returned memory. malloc(), of course, does
not.
Diffstat (limited to 'javascript')
-rw-r--r-- | javascript/olm_outbound_group_session.js | 8 | ||||
-rw-r--r-- | javascript/olm_post.js | 8 |
2 files changed, 16 insertions, 0 deletions
diff --git a/javascript/olm_outbound_group_session.js b/javascript/olm_outbound_group_session.js index 0402c3c..24ea644 100644 --- a/javascript/olm_outbound_group_session.js +++ b/javascript/olm_outbound_group_session.js @@ -83,6 +83,14 @@ OutboundGroupSession.prototype['encrypt'] = function(plaintext) { plaintext_buffer, plaintext_length, message_buffer, message_length ); + + // UTF8ToString requires a null-terminated argument, so add the + // null terminator. + Module['setValue']( + message_buffer+message_length, + 0, "i8" + ); + return Module['UTF8ToString'](message_buffer); } finally { if (plaintext_buffer !== undefined) { diff --git a/javascript/olm_post.js b/javascript/olm_post.js index 3e80c0b..65eab02 100644 --- a/javascript/olm_post.js +++ b/javascript/olm_post.js @@ -335,6 +335,14 @@ Session.prototype['encrypt'] = restore_stack(function( random, random_length, message_buffer, message_length ); + + // UTF8ToString requires a null-terminated argument, so add the + // null terminator. + Module['setValue']( + message_buffer+message_length, + 0, "i8" + ); + return { "type": message_type, "body": Module['UTF8ToString'](message_buffer), |