Avoid buffer overrun on encryption

Make sure we null-terminate encrypted strings before passing them to
UTF8ToString.

This used to work when we allocated the buffer on the stack, because it turns
out that allocate() zeroinits the returned memory. malloc(), of course, does
not.

2 files changed, 16 insertions, 0 deletions

diff --git a/javascript/olm_outbound_group_session.js b/javascript/olm_outbound_group_session.js
index 0402c3c..24ea644 100644
--- a/javascript/olm_outbound_group_session.js
+++ b/javascript/olm_outbound_group_session.js
@@ -83,6 +83,14 @@ OutboundGroupSession.prototype['encrypt'] = function(plaintext) {
             plaintext_buffer, plaintext_length,
             message_buffer, message_length
         );
+
+        // UTF8ToString requires a null-terminated argument, so add the
+        // null terminator.
+        Module['setValue'](
+            message_buffer+message_length,
+            0, "i8"
+        );
+
         return Module['UTF8ToString'](message_buffer);
     } finally {
         if (plaintext_buffer !== undefined) {
diff --git a/javascript/olm_post.js b/javascript/olm_post.js
index 3e80c0b..65eab02 100644
--- a/javascript/olm_post.js
+++ b/javascript/olm_post.js
@@ -335,6 +335,14 @@ Session.prototype['encrypt'] = restore_stack(function(
             random, random_length,
             message_buffer, message_length
         );
+
+        // UTF8ToString requires a null-terminated argument, so add the
+        // null terminator.
+        Module['setValue'](
+            message_buffer+message_length,
+            0, "i8"
+        );
+
         return {
             "type": message_type,
             "body": Module['UTF8ToString'](message_buffer),