From 6eea841d3a0f8dc539584dc67b15f585a8213775 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Thu, 15 Dec 2016 23:10:38 +0900 Subject: Prevent overflow beyond the end of string in caller of get_mclen() Bug-Debian: https://github.com/tats/w3m/issues/59 Bug-Debian: https://github.com/tats/w3m/issues/73 Bug-Debian: https://github.com/tats/w3m/issues/74 Bug-Debian: https://github.com/tats/w3m/issues/76 Bug-Debian: https://github.com/tats/w3m/issues/79 Bug-Debian: https://github.com/tats/w3m/issues/80 Bug-Debian: https://github.com/tats/w3m/issues/83 Bug-Debian: https://github.com/tats/w3m/issues/84 --- libwc/wtf.c | 11 ++++++++--- libwc/wtf.h | 3 +-- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'libwc') diff --git a/libwc/wtf.c b/libwc/wtf.c index 7d450a1..5ec25af 100644 --- a/libwc/wtf.c +++ b/libwc/wtf.c @@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p) return w; } -/* size_t wtf_len1(wc_uchar *p) { - return (size_t)WTF_LEN_MAP[*p]; + size_t len, len_max = WTF_LEN_MAP[*p]; + + for (len = 0; *(p + len); len++) + if (len == len_max) + break; + if (len == 0) + len = 1; + return len; } -*/ size_t wtf_len(wc_uchar *p) diff --git a/libwc/wtf.h b/libwc/wtf.h index ad47973..435526f 100644 --- a/libwc/wtf.h +++ b/libwc/wtf.h @@ -59,8 +59,7 @@ extern void wtf_init(wc_ces ces1, wc_ces ces2); #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \ : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0)) extern int wtf_strwidth(wc_uchar *p); -/* extern size_t wtf_len1(wc_uchar *p); */ -#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)]) +extern size_t wtf_len1(wc_uchar *p); extern size_t wtf_len(wc_uchar *p); /* extern int wtf_type(wc_uchar *p); */ #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)] -- cgit v1.2.3