Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on long unicode sequence (integer overflow) #335

Closed
bburhans opened this issue May 13, 2020 · 2 comments
Closed

Crash on long unicode sequence (integer overflow) #335

bburhans opened this issue May 13, 2020 · 2 comments
Labels
bug fixed in master

Comments

@bburhans
Copy link

Very minor issue due to unlikely and invalid input sequences, one of many that could be found with a few minutes of fuzzing, I assume.

Application: wincompose.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.OverflowException
   at System.ParseNumbers.StringToInt(System.String, Int32, Int32, Int32*)
   at System.Convert.ToInt32(System.String, Int32)
   at WinCompose.Settings.GetGenericSequenceResult(WinCompose.KeySequence, System.String ByRef)
   at WinCompose.Composer.AddToSequence(WinCompose.Key)
   at WinCompose.Composer.OnKeyInternal(WinCompose.WM, WinCompose.VK, WinCompose.SC, WinCompose.LLKHF)
   at WinCompose.Composer.OnKey(WinCompose.WM, WinCompose.VK, WinCompose.SC, WinCompose.LLKHF)
   at WinCompose.KeyboardHook.OnKey(WinCompose.HC, WinCompose.WM, IntPtr)

This can be reproduced by enabling "advanced unicode input" and typing:
composeud8341d11eEnter

(This particular combination was a mistake while I was testing how best to type the G clef character 𝄞: it is not in the basic multilingual plane, so it is usable for some (modern) apps as U+1d11e and others only as a utf-16 surrogate pair \ud384\udd1e. For the record, the former works fine in WinCompose, which is preferred.)

In case this self-evident stack trace is not enough, I can probably provide dumps and other proper debugging info if necessary. Not that it should matter for this particular issue, but I am on Windows version 10.0.18363 (Build 18363).

Am I correct in guessing that this overflow is happening here, and that it would be averted by comparing m.Groups[1].Value against Int32.MaxValue before that line and returning false if it's too large?

Thank you for an excellent piece of open-source software.
samhocevar added a commit that referenced this issue Jun 18, 2020
@samhocevar
Avoid integer overflow by disallowing Unicode sequences of more than …
b771c98 
…6 digits. See #335.
@samhocevar
Copy link
Owner

Thanks! I fixed it by limiting Unicode input to 6 digits. The fix will be in the next release.

@samhocevar
Copy link
Owner

Hi! You’ll be happy to know the issue is fixed in WinCompose 0.9.5!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug fixed in master
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samhocevar @bburhans