From 512ed467d12615f5ef40d0d28272e5662d8438ea Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Wed, 7 Dec 2016 21:14:07 +0900
Subject: Prevent overflow beyond the end of string in proc_mchar()

Bug-Debian: https://github.com/tats/w3m/issues/59
---
 file.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'file.c')

diff --git a/file.c b/file.c
index 50f6b9a..134df82 100644
--- a/file.c
+++ b/file.c
@@ -2599,6 +2599,8 @@ static void
 proc_mchar(struct readbuffer *obuf, int pre_mode,
 	   int width, char **str, Lineprop mode)
 {
+    size_t len;
+
     check_breakpoint(obuf, pre_mode, *str);
     obuf->pos += width;
     Strcat_charp_n(obuf->line, *str, get_mclen(*str));
@@ -2607,7 +2609,10 @@ proc_mchar(struct readbuffer *obuf, int pre_mode,
 	if (**str != ' ')
 	    obuf->prev_ctype = mode;
     }
-    (*str) += get_mclen(*str);
+    len = get_mclen(*str);
+    if (len > strlen(*str))
+	len = strlen(*str);
+    (*str) += len;
     obuf->flag |= RB_NFLUSHED;
 }
 
-- 
cgit v1.2.3