aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-03-11 10:34:53 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-03-11 10:34:53 +0000
commit2341cef6e98166977ee4f89cf1c3992a68cb3b4a (patch)
treef88557a635dc9c7f14a96de55a528e4f4f85cc1b
parentUpdate ChangeLog (diff)
downloadw3m-2341cef6e98166977ee4f89cf1c3992a68cb3b4a.tar.gz
w3m-2341cef6e98166977ee4f89cf1c3992a68cb3b4a.zip
Prevent index overflow due to tag_map in libwc
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31936
-rw-r--r--libwc/ucs.c6
-rw-r--r--libwc/ucs.h4
2 files changed, 5 insertions, 5 deletions
diff --git a/libwc/ucs.c b/libwc/ucs.c
index 18c3a67..5d110f3 100644
--- a/libwc/ucs.c
+++ b/libwc/ucs.c
@@ -677,9 +677,9 @@ wc_ucs_put_tag(char *p)
if (!strcasecmp(p, tag_map[i]))
return i;
}
- n_tag_map++;
- if (n_tag_map == MAX_TAG_MAP)
+ if (n_tag_map + 1 >= MAX_TAG_MAP)
return 0;
+ n_tag_map++;
tag_map[n_tag_map] = p;
return n_tag_map;
}
@@ -687,7 +687,7 @@ wc_ucs_put_tag(char *p)
char *
wc_ucs_get_tag(int ntag)
{
- if (ntag == 0 || ntag > n_tag_map)
+ if (ntag <= 0 || ntag > n_tag_map)
return NULL;
return tag_map[ntag];
}
diff --git a/libwc/ucs.h b/libwc/ucs.h
index 261351e..3a721a9 100644
--- a/libwc/ucs.h
+++ b/libwc/ucs.h
@@ -25,8 +25,8 @@
#define WC_C_UCS4_PLANE3 0x30000
#define wc_ucs_tag_to_ucs(c) ((c) & WC_C_UNICODE_MASK)
-#define wc_ucs_tag_to_tag(c) ((c) >> 24)
-#define wc_ucs_to_ucs_tag(c,tag) ((c) | ((tag) << 24))
+#define wc_ucs_tag_to_tag(c) (((c) >> 24) & 0xff)
+#define wc_ucs_to_ucs_tag(c,tag) ((c) | ((wc_uint32)((tag) & 0xff) << 24))
#define wc_ccs_ucs_to_ccs_ucs_tag(ccs) (WC_CCS_UCS_TAG | ((ccs) & ~WC_CCS_A_SET))
#define wc_ucs_to_utf16(ucs) \
((((((ucs) - WC_C_UCS4_PLANE1) >> 10) | WC_C_UCS2_SURROGATE) << 16) \