blob: d53a1f9d2ebd371a591a93a4c2dbde49f634f1c9 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Subject: Prevent overflow beyond the end of string for wtf to wcs macros
From: Tatsuya Kinoshita <tats@debian.org>
Bug-Debian: https://github.com/tats/w3m/issues/77
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d
---
libwc/wtf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libwc/wtf.c b/libwc/wtf.c
index e80d990..cdc6cbc 100644
--- a/libwc/wtf.c
+++ b/libwc/wtf.c
@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p)
((p)[3] = (((c) >> 7) & 0x7f) | 0x80), \
((p)[4] = ( (c) & 0x7f) | 0x80)
#define wtf_to_wcs16(p) \
+ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \
((wc_uint32)((p)[0] & 0x03) << 14) \
| ((wc_uint32)((p)[1] & 0x7f) << 7) \
- | ((wc_uint32)((p)[2] & 0x7f) )
+ | ((wc_uint32)((p)[2] & 0x7f) ))
#define wtf_to_wcs32(p) \
+ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \
((wc_uint32)((p)[0] & 0x0f) << 28) \
| ((wc_uint32)((p)[1] & 0x7f) << 21) \
| ((wc_uint32)((p)[2] & 0x7f) << 14) \
| ((wc_uint32)((p)[3] & 0x7f) << 7) \
- | ((wc_uint32)((p)[4] & 0x7f) )
+ | ((wc_uint32)((p)[4] & 0x7f) ))
void
wtf_push(Str os, wc_ccs ccs, wc_uint32 code)
--
2.10.2
|