From dd35652c8200350de7d02178a1c1e2c2dc200ade Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Thu, 8 Dec 2016 01:00:42 +0900
Subject: Prevent overflow beyond the end of string in wtf_strwidth() and
 wtf_len()

Bug-Debian: https://github.com/tats/w3m/issues/57
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd
---
 libwc/wtf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libwc')

diff --git a/libwc/wtf.c b/libwc/wtf.c
index b8cfdc7..adee338 100644
--- a/libwc/wtf.c
+++ b/libwc/wtf.c
@@ -120,8 +120,9 @@ int
 wtf_strwidth(wc_uchar *p)
 {
     int w = 0;
+    wc_uchar *q = p + strlen(p);
 
-    while (*p) {
+    while (p < q) {
 	w += wtf_width(p);
 	p += WTF_LEN_MAP[*p];
     }
@@ -140,9 +141,10 @@ size_t
 wtf_len(wc_uchar *p)
 {
     wc_uchar *q = p;
+    wc_uchar *strz = p + strlen(p);
 
     q += WTF_LEN_MAP[*q];
-    while (*q && ! WTF_WIDTH_MAP[*q])
+    while (q < strz && ! WTF_WIDTH_MAP[*q])
 	q += WTF_LEN_MAP[*q];
     return q - p;
 }
-- 
cgit v1.2.3