Fix potential heap buffer corruption due to Strgrow

If Str.length = 5 and area_size = 6, the result of Strgrow is still area_size = 6. For such case, Strcat_char and Strinsert_char will overflow one byte.
author: Kuang-che Wu <kcwu@google.com> 2016-08-30 00:32:00 +0000
committer: Kuang-che Wu <kcwu@google.com> 2016-08-30 01:39:53 +0000
commit: c95a43dc92695464be11c8a51811aaa9761546e6 (patch)
tree: 30c4f88ed973ba97d823751c2cdbd95827ac145f /Str.c
parent: Update ChangeLog (diff)
download: w3m-c95a43dc92695464be11c8a51811aaa9761546e6.tar.gz
w3m-c95a43dc92695464be11c8a51811aaa9761546e6.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/Str.c b/Str.c
index 70e9957..d34129f 100644
--- a/Str.c
+++ b/Str.c
@@ -232,8 +232,8 @@ Strgrow(Str x)
 {
     char *old = x->ptr;
     int newlen;
-    newlen = x->length * 6 / 5;
-    if (newlen == x->length)
+    newlen = x->area_size * 6 / 5;
+    if (newlen == x->area_size)
 	newlen += 2;
     x->ptr = GC_MALLOC_ATOMIC(newlen);
     x->area_size = newlen;
author	Kuang-che Wu <kcwu@google.com>	2016-08-30 00:32:00 +0000
committer	Kuang-che Wu <kcwu@google.com>	2016-08-30 01:39:53 +0000
commit	c95a43dc92695464be11c8a51811aaa9761546e6 (patch)
tree	30c4f88ed973ba97d823751c2cdbd95827ac145f /Str.c
parent	Update ChangeLog (diff)
download	w3m-c95a43dc92695464be11c8a51811aaa9761546e6.tar.gz w3m-c95a43dc92695464be11c8a51811aaa9761546e6.zip