Share via

Buffer Overflow

  • Article

Unicode TasksMultibyte Character Set (MBCS) Tasks

Varying character sizes can cause problems when you put characters into a buffer. Consider the following code, which copies characters from a string, sz, into a buffer, rgch:

cb = 0;
while( cb < sizeof( rgch ) )
    rgch[ cb++ ] = *sz++;

The question is: Was the last byte copied a lead byte? The following does not solve the problem because it can potentially overflow the buffer:

cb = 0;
while( cb < sizeof( rgch ) )
{
    _mbccpy( rgch + cb, sz );
    cb += _mbclen( sz );
    sz = _mbsinc( sz );
}

The _mbccpy call attempts to do the right thing  — copy the full character, whether it’s one or two bytes. But it doesn’t take into account that the last character copied may not fit the buffer if the character is two bytes wide. The correct solution is:

cb = 0;
while( (cb + _mbclen( sz )) <= sizeof( rgch ) )
{
    _mbccpy( rgch + cb, sz );
    cb += _mbclen( sz );
    sz = _mbsinc( sz );
}

This code tests for possible buffer overflow in the loop test, using _mbclen to test the size of the current character pointed to by sz. By making a call to the _mbsnbcpy function, you can replace the code in the while loop with a single line of code. For example:

cb = 0;
while( (cb + _mbclen( sz )) <= sizeof( rgch ) )
{
    _mbsnbcpy( rgch, sz, sizeof( rgch ) );
}