aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-02-27 00:17:07 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-02-27 00:27:50 +0000
commit922ac9d15ad6c551c6579cc062a55a9b881b8c0d (patch)
tree2db0ceceea967c17710e63e6bf0612398ca2410b
parentFix potential overflow due to Str.c (diff)
downloadw3m-922ac9d15ad6c551c6579cc062a55a9b881b8c0d.tar.gz
w3m-922ac9d15ad6c551c6579cc062a55a9b881b8c0d.zip
One more fix overflow due to Strgrow
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
-rw-r--r--Str.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/Str.c b/Str.c
index 277478a..ab083d2 100644
--- a/Str.c
+++ b/Str.c
@@ -26,7 +26,7 @@
#include "myctype.h"
#define INITIAL_STR_SIZE 32
-#define STR_SIZE_MAX INT_MAX
+#define STR_SIZE_MAX (INT_MAX - 1)
#ifdef STR_DEBUG
/* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -259,8 +259,11 @@ Strgrow(Str x)
newlen = x->area_size * 6 / 5;
if (newlen == x->area_size)
newlen += 2;
- if (newlen < 0 || newlen > STR_SIZE_MAX)
+ if (newlen < 0 || newlen > STR_SIZE_MAX) {
newlen = STR_SIZE_MAX;
+ if (x->length + 1 >= newlen)
+ x->length = newlen - 2;
+ }
x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen;
bcopy((void *)old, (void *)x->ptr, x->length);