aboutsummaryrefslogtreecommitdiffstats
path: root/Str.c
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-02-28 05:17:09 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-02-28 07:28:02 +0000
commit29baf64b503f36c163cf5db246076708f0b484a8 (patch)
treee25ca04dfaed82e4ad1960386739484c2a303f43 /Str.c
parentPrevent unintentional integer overflow in Strgrow (diff)
downloadw3m-29baf64b503f36c163cf5db246076708f0b484a8.tar.gz
w3m-29baf64b503f36c163cf5db246076708f0b484a8.zip
Prevent unintentional integer overflow in Strcat_charp_n
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
Diffstat (limited to 'Str.c')
-rw-r--r--Str.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/Str.c b/Str.c
index 4345168..aa47dc6 100644
--- a/Str.c
+++ b/Str.c
@@ -212,7 +212,7 @@ Strcat_charp_n(Str x, const char *y, int n)
}
if (x->area_size < newlen) {
char *old = x->ptr;
- newlen = newlen * 3 / 2;
+ newlen += newlen / 2;
if (newlen < 0 || newlen > STR_SIZE_MAX)
newlen = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(newlen);