diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2021-02-26 10:38:20 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2021-02-26 11:29:12 +0000 |
| commit | 6f1f65947c52a0c9eed2c4cd8dfb55694ea2eeaf (patch) | |
| tree | 8127f627cdc4136f6ff866f7315717747769207f | |
| parent | Fix OpenSSL default always overrides ssl_ca_file and ssl_ca_path (diff) | |
| download | w3m-6f1f65947c52a0c9eed2c4cd8dfb55694ea2eeaf.tar.gz w3m-6f1f65947c52a0c9eed2c4cd8dfb55694ea2eeaf.zip | |
Fix integer overflow due to Strgrow
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
| -rw-r--r-- | Str.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -21,10 +21,12 @@ #ifdef __EMX__ /* or include "fm.h" for HAVE_BCOPY? */ #include <strings.h> #endif +#include <limits.h> #include "Str.h" #include "myctype.h" #define INITIAL_STR_SIZE 32 +#define STR_SIZE_MAX INT_MAX #ifdef STR_DEBUG /* This is obsolete, because "Str" can handle a '\0' character now. */ @@ -237,9 +239,12 @@ Strgrow(Str x) newlen = x->area_size * 6 / 5; if (newlen == x->area_size) newlen += 2; + if (newlen < 0 || newlen > STR_SIZE_MAX) + newlen = STR_SIZE_MAX; x->ptr = GC_MALLOC_ATOMIC(newlen); x->area_size = newlen; bcopy((void *)old, (void *)x->ptr, x->length); + x->ptr[x->length] = '\0'; GC_free(old); } |