Skip to content

Fix buffer overflow in _NSCFString.getBytes #5287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release/6.2
Choose a base branch
from
Open

Fix buffer overflow in _NSCFString.getBytes #5287

wants to merge 1 commit into from

Conversation

@jmschonfeld
Copy link
Contributor

@jmschonfeld jmschonfeld commented Nov 11, 2025

_NSCFString.getBytes does not currently read/respect the provided max buffer length when writing bytes out to the provided buffer. When an insufficiently sized buffer is provided, a buffer overflow occurs. This appeared as a symptom in plutil where reading a plist with a long unicode string would cause a buffer overflow since the UTF16 count was small enough for plutil to use a stack buffer instead of a dynamically-sized heap buffer, but the UTF8 count was long enough that writing the bytes overflows the stack buffer. This PR resolves the issue by breaking during byte iteration when we reach the max buffer length.

@jmschonfeld
Copy link
Contributor Author

jmschonfeld commented Nov 11, 2025

@swift-ci test

@jmschonfeld jmschonfeld linked an issue Nov 11, 2025 that may be closed by this pull request
Segmentation fault when Linux plutil tries to convert a single non-ascii string of sufficiently long size to binary plist. #5284
Open
@jmschonfeld
Copy link
Contributor Author

jmschonfeld commented Nov 11, 2025

This caused a new test failure:

[2025-11-11T20:35:39.977Z] Test Suite 'TestMeasurement' started at 2025-11-11 20:35:39.877
[2025-11-11T20:35:39.977Z] Test Case 'TestMeasurement.testCodingRoundtrip' started at 2025-11-11 20:35:39.877
[2025-11-11T20:35:39.977Z] TestFoundation/Utilities.swift:247: error: TestMeasurement.testCodingRoundtrip : XCTAssertTrue failed - The fixture with identifier 'NSMeasurement-Angle' failed to match after an in-memory roundtrip.
[2025-11-11T20:35:39.977Z] Test Case 'TestMeasurement.testCodingRoundtrip' failed (0.003 seconds)

This failure doesn't occur on the base release/6.2 branch so it appears to be due to this change and needs further investigation. I suspect it's related to round tripping the symbol property of the angle measurement which likely uses a non-ASCII string

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parkera parkera Awaiting requested review from parkera

@iCharlesHu iCharlesHu Awaiting requested review from iCharlesHu

@itingliu itingliu Awaiting requested review from itingliu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Segmentation fault when Linux plutil tries to convert a single non-ascii string of sufficiently long size to binary plist.

1 participant

@jmschonfeld