In util/support/utf8_conv.c, the SWAP16 macro is invoked with an

argument that has side effects.  On platforms where SWAP16 can
evaluate its argument twice (including platforms where utf8_conv.c
creates a fallback definition for the SWAP16 macro), this can cause a
read overrun by a factor of two.

Rearrange the data flow to avoid calling SWAP16 with an argument that
has side effects.

ticket: 6486
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22348 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 4 insertions, 6 deletions

diff --git a/src/util/support/utf8_conv.c b/src/util/support/utf8_conv.c
index f8e4a496b..f972565f9 100644
--- a/src/util/support/utf8_conv.c
+++ b/src/util/support/utf8_conv.c
@@ -268,12 +268,11 @@ k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str,
     {
 	while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) {
 	    /* Get UTF-8 size of next wide char */
+	  ch = *ucs2str++;
 #ifdef K5_BE
 	    if (little_endian)
-		ch = SWAP16(*ucs2str++);
-	    else
+		ch = SWAP16(ch);
 #endif
-		ch = *ucs2str++;
 
 	    n = krb5int_ucs2_to_utf8(ch, NULL);
 	    if (n < 1)
@@ -290,12 +289,11 @@ k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str,
 
     n = 1;					/* In case of empty ucs2str */
     while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) {
+      ch = *ucs2str++;
 #ifdef K5_BE
 	if (little_endian)
-	    ch = SWAP16(*ucs2str++);
-	else
+	    ch = SWAP16(ch);
 #endif
-	    ch = *ucs2str++;
 
 	n = krb5int_ucs2_to_utf8(ch, p);