diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2016-12-07 16:00:42 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2017-01-06 13:12:45 +0000 |
| commit | dd35652c8200350de7d02178a1c1e2c2dc200ade (patch) | |
| tree | 62c81abfdc9d4740c6a9eab46ef51137318b590f | |
| parent | Prevent heap-use-after-free in HTMLlineproc0() (diff) | |
| download | w3m-dd35652c8200350de7d02178a1c1e2c2dc200ade.tar.gz w3m-dd35652c8200350de7d02178a1c1e2c2dc200ade.zip | |
Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len()
Bug-Debian: https://github.com/tats/w3m/issues/57
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd
| -rw-r--r-- | libwc/wtf.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libwc/wtf.c b/libwc/wtf.c index b8cfdc7..adee338 100644 --- a/libwc/wtf.c +++ b/libwc/wtf.c @@ -120,8 +120,9 @@ int wtf_strwidth(wc_uchar *p) { int w = 0; + wc_uchar *q = p + strlen(p); - while (*p) { + while (p < q) { w += wtf_width(p); p += WTF_LEN_MAP[*p]; } @@ -140,9 +141,10 @@ size_t wtf_len(wc_uchar *p) { wc_uchar *q = p; + wc_uchar *strz = p + strlen(p); q += WTF_LEN_MAP[*q]; - while (*q && ! WTF_WIDTH_MAP[*q]) + while (q < strz && ! WTF_WIDTH_MAP[*q]) q += WTF_LEN_MAP[*q]; return q - p; } |