Prevent index overflow due to tag_map in libwc

Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31936

2 files changed, 5 insertions, 5 deletions

diff --git a/libwc/ucs.c b/libwc/ucs.c
index 18c3a67..5d110f3 100644
--- a/libwc/ucs.c
+++ b/libwc/ucs.c
@@ -677,9 +677,9 @@ wc_ucs_put_tag(char *p)
 	if (!strcasecmp(p, tag_map[i]))
 	    return i;
     }
-    n_tag_map++;
-    if (n_tag_map == MAX_TAG_MAP)
+    if (n_tag_map + 1 >= MAX_TAG_MAP)
 	return 0;
+    n_tag_map++;
     tag_map[n_tag_map] = p;
     return n_tag_map;
 }
@@ -687,7 +687,7 @@ wc_ucs_put_tag(char *p)
 char *
 wc_ucs_get_tag(int ntag)
 {
-    if (ntag == 0 || ntag > n_tag_map)
+    if (ntag <= 0 || ntag > n_tag_map)
 	return NULL;
     return tag_map[ntag];
 }
diff --git a/libwc/ucs.h b/libwc/ucs.h
index 261351e..3a721a9 100644
--- a/libwc/ucs.h
+++ b/libwc/ucs.h
@@ -25,8 +25,8 @@
 #define WC_C_UCS4_PLANE3	0x30000
 
 #define wc_ucs_tag_to_ucs(c)		((c) & WC_C_UNICODE_MASK)
-#define wc_ucs_tag_to_tag(c)		((c) >> 24)
-#define wc_ucs_to_ucs_tag(c,tag)	((c) | ((tag) << 24))
+#define wc_ucs_tag_to_tag(c)		(((c) >> 24) & 0xff)
+#define wc_ucs_to_ucs_tag(c,tag)	((c) | ((wc_uint32)((tag) & 0xff) << 24))
 #define wc_ccs_ucs_to_ccs_ucs_tag(ccs)	(WC_CCS_UCS_TAG | ((ccs) & ~WC_CCS_A_SET))
 #define wc_ucs_to_utf16(ucs) \
 	((((((ucs) - WC_C_UCS4_PLANE1) >> 10) | WC_C_UCS2_SURROGATE) << 16) \