From 75dcdc2cf37478fad6c0e3427403d198b554951d Mon Sep 17 00:00:00 2001
From: Erik Larsson <erik@tuxera.com>
Date: Tue, 13 Jun 2023 17:47:15 +0300
Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'.

If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence,
then 'n' will be less than 0 and the loop will terminate without storing
anything in '*t'. After the loop the uppercase string's allocation is
freed, however after it is freed it is unconditionally accessed through
'*t', which points into the freed allocation, for the purpose of NULL-
terminating the string. This leads to a use-after-free.
Fixed by only NULL-terminating the string when no error has been thrown.

Thanks for Jeffrey Bencteux for reporting this issue:
https://github.com/tuxera/ntfs-3g/issues/84
---
 libntfs-3g/unistr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c
index 5854b3b7..db8ddf42 100644
--- a/libntfs-3g/unistr.c
+++ b/libntfs-3g/unistr.c
@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low,
 			free(upp);
 			upp = (char*)NULL;
 			errno = EILSEQ;
+		} else {
+			*t = 0;
 		}
-		*t = 0;
 	}
 	return (upp);
 }
-- 
2.45.0