From 8e554ab5ef5a17c7eb271000217e036be07d88db Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Fri, 16 Dec 2016 14:42:41 +0000
Subject: [PATCH] Avoid buffer overrun on encryption

Make sure we null-terminate encrypted strings before passing them to
UTF8ToString.

This used to work when we allocated the buffer on the stack, because it turns
out that allocate() zeroinits the returned memory. malloc(), of course, does
not.
---
 javascript/olm_outbound_group_session.js | 8 ++++++++
 javascript/olm_post.js                   | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/javascript/olm_outbound_group_session.js b/javascript/olm_outbound_group_session.js
index 0402c3c..24ea644 100644
--- a/javascript/olm_outbound_group_session.js
+++ b/javascript/olm_outbound_group_session.js
@@ -83,6 +83,14 @@ OutboundGroupSession.prototype['encrypt'] = function(plaintext) {
             plaintext_buffer, plaintext_length,
             message_buffer, message_length
         );
+
+        // UTF8ToString requires a null-terminated argument, so add the
+        // null terminator.
+        Module['setValue'](
+            message_buffer+message_length,
+            0, "i8"
+        );
+
         return Module['UTF8ToString'](message_buffer);
     } finally {
         if (plaintext_buffer !== undefined) {
diff --git a/javascript/olm_post.js b/javascript/olm_post.js
index 3e80c0b..65eab02 100644
--- a/javascript/olm_post.js
+++ b/javascript/olm_post.js
@@ -335,6 +335,14 @@ Session.prototype['encrypt'] = restore_stack(function(
             random, random_length,
             message_buffer, message_length
         );
+
+        // UTF8ToString requires a null-terminated argument, so add the
+        // null terminator.
+        Module['setValue'](
+            message_buffer+message_length,
+            0, "i8"
+        );
+
         return {
             "type": message_type,
             "body": Module['UTF8ToString'](message_buffer),