aboutsummaryrefslogtreecommitdiffstats
path: root/Str.c
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-02-26 10:38:20 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-02-26 10:38:20 +0000
commitf0aff94b2bd53e7ea1bacc2b71e1692846a9a779 (patch)
treee834b7472e269edc30f3a2b60c8c68ef57734c06 /Str.c
parentUpdate ChangeLog (diff)
downloadw3m-f0aff94b2bd53e7ea1bacc2b71e1692846a9a779.tar.gz
w3m-f0aff94b2bd53e7ea1bacc2b71e1692846a9a779.zip
Fix integer overflow due to Strgrow
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
Diffstat (limited to 'Str.c')
-rw-r--r--Str.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/Str.c b/Str.c
index 61fe3ca..7e86f83 100644
--- a/Str.c
+++ b/Str.c
@@ -21,10 +21,12 @@
#ifdef __EMX__ /* or include "fm.h" for HAVE_BCOPY? */
#include <strings.h>
#endif
+#include <limits.h>
#include "Str.h"
#include "myctype.h"
#define INITIAL_STR_SIZE 32
+#define STR_SIZE_MAX INT_MAX
#ifdef STR_DEBUG
/* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -237,9 +239,12 @@ Strgrow(Str x)
newlen = x->area_size * 6 / 5;
if (newlen == x->area_size)
newlen += 2;
+ if (newlen < 0 || newlen > STR_SIZE_MAX)
+ newlen = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen;
bcopy((void *)old, (void *)x->ptr, x->length);
+ x->ptr[x->length] = '\0';
GC_free(old);
}