diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2021-02-27 00:17:07 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2021-02-27 00:27:50 +0000 |
commit | 922ac9d15ad6c551c6579cc062a55a9b881b8c0d (patch) | |
tree | 2db0ceceea967c17710e63e6bf0612398ca2410b | |
parent | Fix potential overflow due to Str.c (diff) | |
download | w3m-922ac9d15ad6c551c6579cc062a55a9b881b8c0d.tar.gz w3m-922ac9d15ad6c551c6579cc062a55a9b881b8c0d.zip |
One more fix overflow due to Strgrow
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
-rw-r--r-- | Str.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -26,7 +26,7 @@ #include "myctype.h" #define INITIAL_STR_SIZE 32 -#define STR_SIZE_MAX INT_MAX +#define STR_SIZE_MAX (INT_MAX - 1) #ifdef STR_DEBUG /* This is obsolete, because "Str" can handle a '\0' character now. */ @@ -259,8 +259,11 @@ Strgrow(Str x) newlen = x->area_size * 6 / 5; if (newlen == x->area_size) newlen += 2; - if (newlen < 0 || newlen > STR_SIZE_MAX) + if (newlen < 0 || newlen > STR_SIZE_MAX) { newlen = STR_SIZE_MAX; + if (x->length + 1 >= newlen) + x->length = newlen - 2; + } x->ptr = GC_MALLOC_ATOMIC(newlen); x->area_size = newlen; bcopy((void *)old, (void *)x->ptr, x->length); |