From b9c24321017694b49518337aa7226f13bc22f3c8 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Tue, 23 Mar 2021 01:36:46 +0900 Subject: Prevent very long language tag in libwc Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32229 --- libwc/ucs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libwc/ucs.c b/libwc/ucs.c index 5d110f3..4fe020d 100644 --- a/libwc/ucs.c +++ b/libwc/ucs.c @@ -29,6 +29,7 @@ #include "map/ucs_isupper.map" #include "map/ucs_case.map" +#define MAX_TAG_LEN (8 + 1 + 8) #define MAX_TAG_MAP 0x100 static int n_tag_map = 0; static char *tag_map[ MAX_TAG_MAP ]; @@ -701,11 +702,12 @@ wtf_push_ucs(Str os, wc_uint32 ucs, wc_status *st) if (! WcOption.use_language_tag) return; if (ucs == WC_C_LANGUAGE_TAG) - st->tag = Strnew_size(4); + st->tag = Strnew_size(MAX_TAG_LEN); else if (ucs == WC_C_CANCEL_TAG) { st->tag = NULL; st->ntag = 0; - } else if (st->tag && ucs >= WC_C_TAG_SPACE) + } else if (st->tag && st->tag->length < MAX_TAG_LEN && + ucs >= WC_C_TAG_SPACE) Strcat_char(st->tag, (char)(ucs & 0x7f)); return; } -- cgit v1.2.3