aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-02-26 10:38:20 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-02-26 11:29:12 +0000
commit6f1f65947c52a0c9eed2c4cd8dfb55694ea2eeaf (patch)
tree8127f627cdc4136f6ff866f7315717747769207f
parentFix OpenSSL default always overrides ssl_ca_file and ssl_ca_path (diff)
downloadw3m-6f1f65947c52a0c9eed2c4cd8dfb55694ea2eeaf.tar.gz
w3m-6f1f65947c52a0c9eed2c4cd8dfb55694ea2eeaf.zip
Fix integer overflow due to Strgrow
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
Diffstat (limited to '')
-rw-r--r--Str.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/Str.c b/Str.c
index 61fe3ca..7e86f83 100644
--- a/Str.c
+++ b/Str.c
@@ -21,10 +21,12 @@
#ifdef __EMX__ /* or include "fm.h" for HAVE_BCOPY? */
#include <strings.h>
#endif
+#include <limits.h>
#include "Str.h"
#include "myctype.h"
#define INITIAL_STR_SIZE 32
+#define STR_SIZE_MAX INT_MAX
#ifdef STR_DEBUG
/* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -237,9 +239,12 @@ Strgrow(Str x)
newlen = x->area_size * 6 / 5;
if (newlen == x->area_size)
newlen += 2;
+ if (newlen < 0 || newlen > STR_SIZE_MAX)
+ newlen = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen;
bcopy((void *)old, (void *)x->ptr, x->length);
+ x->ptr[x->length] = '\0';
GC_free(old);
}