From e79d0ec2a00369a6af24007a1f2bb5e876e2c847 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Tue, 13 Dec 2016 22:44:08 +0900
Subject: Prevent overflow beyond the end of string in proc_mchar()

Bug-Debian: https://github.com/tats/w3m/issues/80
cf. https://github.com/tats/w3m/issues/59
---
 file.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/file.c b/file.c
index 7d227da..efee0c6 100644
--- a/file.c
+++ b/file.c
@@ -2603,19 +2603,20 @@ static void
 proc_mchar(struct readbuffer *obuf, int pre_mode,
 	   int width, char **str, Lineprop mode)
 {
-    size_t len;
+    int len, slen;
 
     check_breakpoint(obuf, pre_mode, *str);
     obuf->pos += width;
-    Strcat_charp_n(obuf->line, *str, get_mclen(*str));
+    len = get_mclen(*str);
+    slen = (int)strlen(*str);
+    if (len > slen && slen > 0)
+	len = slen;
+    Strcat_charp_n(obuf->line, *str, len);
     if (width > 0) {
 	set_prevchar(obuf->prevchar, *str, 1);
 	if (**str != ' ')
 	    obuf->prev_ctype = mode;
     }
-    len = get_mclen(*str);
-    if (len > strlen(*str))
-	len = strlen(*str);
     (*str) += len;
     obuf->flag |= RB_NFLUSHED;
 }
-- 
cgit v1.2.3