Prevent very long language tag in libwc

Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32229
author: Tatsuya Kinoshita <tats@debian.org> 2021-03-22 16:36:46 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2021-03-22 16:44:59 +0000
commit: b9c24321017694b49518337aa7226f13bc22f3c8 (patch)
tree: 75eaa27d702366977f9ea4b6c0b7a1edbb7b210d
parent: Update ChangeLog (diff)
download: w3m-b9c24321017694b49518337aa7226f13bc22f3c8.tar.gz
w3m-b9c24321017694b49518337aa7226f13bc22f3c8.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/libwc/ucs.c b/libwc/ucs.c
index 5d110f3..4fe020d 100644
--- a/libwc/ucs.c
+++ b/libwc/ucs.c
@@ -29,6 +29,7 @@
 #include "map/ucs_isupper.map"
 #include "map/ucs_case.map"
 
+#define MAX_TAG_LEN (8 + 1 + 8)
 #define MAX_TAG_MAP 0x100
 static int n_tag_map = 0;
 static char *tag_map[ MAX_TAG_MAP ];
@@ -701,11 +702,12 @@ wtf_push_ucs(Str os, wc_uint32 ucs, wc_status *st)
 	if (! WcOption.use_language_tag)
 	    return;
 	if (ucs == WC_C_LANGUAGE_TAG)
-	    st->tag = Strnew_size(4);
+	    st->tag = Strnew_size(MAX_TAG_LEN);
 	else if (ucs == WC_C_CANCEL_TAG) {
 	    st->tag = NULL;
 	    st->ntag = 0;
-	}  else if (st->tag && ucs >= WC_C_TAG_SPACE)
+	}  else if (st->tag && st->tag->length < MAX_TAG_LEN &&
+		    ucs >= WC_C_TAG_SPACE)
 	    Strcat_char(st->tag, (char)(ucs & 0x7f));
 	return;
     }
author	Tatsuya Kinoshita <tats@debian.org>	2021-03-22 16:36:46 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2021-03-22 16:44:59 +0000
commit	b9c24321017694b49518337aa7226f13bc22f3c8 (patch)
tree	75eaa27d702366977f9ea4b6c0b7a1edbb7b210d
parent	Update ChangeLog (diff)
download	w3m-b9c24321017694b49518337aa7226f13bc22f3c8.tar.gz w3m-b9c24321017694b49518337aa7226f13bc22f3c8.zip