From 31d0457609dda6266bb9904e1b93cc7567670cc3 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Sat, 27 Feb 2021 09:17:07 +0900
Subject: One more fix overflow due to Strgrow

Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
---
 Str.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'Str.c')

diff --git a/Str.c b/Str.c
index 277478a..ab083d2 100644
--- a/Str.c
+++ b/Str.c
@@ -26,7 +26,7 @@
 #include "myctype.h"
 
 #define INITIAL_STR_SIZE 32
-#define STR_SIZE_MAX INT_MAX
+#define STR_SIZE_MAX (INT_MAX - 1)
 
 #ifdef STR_DEBUG
 /* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -259,8 +259,11 @@ Strgrow(Str x)
     newlen = x->area_size * 6 / 5;
     if (newlen == x->area_size)
 	newlen += 2;
-    if (newlen < 0 || newlen > STR_SIZE_MAX)
+    if (newlen < 0 || newlen > STR_SIZE_MAX) {
 	newlen = STR_SIZE_MAX;
+	if (x->length + 1 >= newlen)
+	    x->length = newlen - 2;
+    }
     x->ptr = GC_MALLOC_ATOMIC(newlen);
     x->area_size = newlen;
     bcopy((void *)old, (void *)x->ptr, x->length);
-- 
cgit v1.2.3