From b4d27ba5ccffaa38e968c2bf3a8eeb9cd43928ff Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Sat, 10 Dec 2016 17:10:17 +0900 Subject: Prevent overflow beyond the end of string for wtf to wcs macros Bug-Debian: https://github.com/tats/w3m/issues/77 --- libwc/wtf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'libwc/wtf.c') diff --git a/libwc/wtf.c b/libwc/wtf.c index 83839d7..bf87e5f 100644 --- a/libwc/wtf.c +++ b/libwc/wtf.c @@ -167,15 +167,17 @@ wtf_type(wc_uchar *p) ((p)[3] = (((c) >> 7) & 0x7f) | 0x80), \ ((p)[4] = ( (c) & 0x7f) | 0x80) #define wtf_to_wcs16(p) \ + (strlen(p) < 3 ? 0 : \ ((wc_uint32)((p)[0] & 0x03) << 14) \ | ((wc_uint32)((p)[1] & 0x7f) << 7) \ - | ((wc_uint32)((p)[2] & 0x7f) ) + | ((wc_uint32)((p)[2] & 0x7f) )) #define wtf_to_wcs32(p) \ + (strlen(p) < 5 ? 0 : \ ((wc_uint32)((p)[0] & 0x0f) << 28) \ | ((wc_uint32)((p)[1] & 0x7f) << 21) \ | ((wc_uint32)((p)[2] & 0x7f) << 14) \ | ((wc_uint32)((p)[3] & 0x7f) << 7) \ - | ((wc_uint32)((p)[4] & 0x7f) ) + | ((wc_uint32)((p)[4] & 0x7f) )) void wtf_push(Str os, wc_ccs ccs, wc_uint32 code) -- cgit v1.2.3