One more fix overflow due to Strgrow

Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
author: Tatsuya Kinoshita <tats@debian.org> 2021-02-27 00:17:07 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2021-02-27 00:17:07 +0000
commit: 31d0457609dda6266bb9904e1b93cc7567670cc3 (patch)
tree: 1320568b93ae86b1f7ea8777bda357ef2e1c77b7
parent: Update ChangeLog (diff)
download: w3m-31d0457609dda6266bb9904e1b93cc7567670cc3.tar.gz
w3m-31d0457609dda6266bb9904e1b93cc7567670cc3.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/Str.c b/Str.c
index 277478a..ab083d2 100644
--- a/Str.c
+++ b/Str.c
@@ -26,7 +26,7 @@
 #include "myctype.h"
 
 #define INITIAL_STR_SIZE 32
-#define STR_SIZE_MAX INT_MAX
+#define STR_SIZE_MAX (INT_MAX - 1)
 
 #ifdef STR_DEBUG
 /* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -259,8 +259,11 @@ Strgrow(Str x)
     newlen = x->area_size * 6 / 5;
     if (newlen == x->area_size)
 	newlen += 2;
-    if (newlen < 0 || newlen > STR_SIZE_MAX)
+    if (newlen < 0 || newlen > STR_SIZE_MAX) {
 	newlen = STR_SIZE_MAX;
+	if (x->length + 1 >= newlen)
+	    x->length = newlen - 2;
+    }
     x->ptr = GC_MALLOC_ATOMIC(newlen);
     x->area_size = newlen;
     bcopy((void *)old, (void *)x->ptr, x->length);
author	Tatsuya Kinoshita <tats@debian.org>	2021-02-27 00:17:07 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2021-02-27 00:17:07 +0000
commit	31d0457609dda6266bb9904e1b93cc7567670cc3 (patch)
tree	1320568b93ae86b1f7ea8777bda357ef2e1c77b7
parent	Update ChangeLog (diff)
download	w3m-31d0457609dda6266bb9904e1b93cc7567670cc3.tar.gz w3m-31d0457609dda6266bb9904e1b93cc7567670cc3.zip