From e79d0ec2a00369a6af24007a1f2bb5e876e2c847 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Tue, 13 Dec 2016 22:44:08 +0900 Subject: Prevent overflow beyond the end of string in proc_mchar() Bug-Debian: https://github.com/tats/w3m/issues/80 cf. https://github.com/tats/w3m/issues/59 --- file.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'file.c') diff --git a/file.c b/file.c index 7d227da..efee0c6 100644 --- a/file.c +++ b/file.c @@ -2603,19 +2603,20 @@ static void proc_mchar(struct readbuffer *obuf, int pre_mode, int width, char **str, Lineprop mode) { - size_t len; + int len, slen; check_breakpoint(obuf, pre_mode, *str); obuf->pos += width; - Strcat_charp_n(obuf->line, *str, get_mclen(*str)); + len = get_mclen(*str); + slen = (int)strlen(*str); + if (len > slen && slen > 0) + len = slen; + Strcat_charp_n(obuf->line, *str, len); if (width > 0) { set_prevchar(obuf->prevchar, *str, 1); if (**str != ' ') obuf->prev_ctype = mode; } - len = get_mclen(*str); - if (len > strlen(*str)) - len = strlen(*str); (*str) += len; obuf->flag |= RB_NFLUSHED; } -- cgit v1.2.3