Fix buffer overflow in lex_ellipsize__

author John Darrington <john@darrington.wattle.id.au>

Sat, 20 Jun 2020 05:17:06 +0000 (07:17 +0200)

committer John Darrington <john@darrington.wattle.id.au>

Sat, 20 Jun 2020 05:17:03 +0000 (07:17 +0200)
author John Darrington <john@darrington.wattle.id.au>
Sat, 20 Jun 2020 05:17:06 +0000 (07:17 +0200)
committer John Darrington <john@darrington.wattle.id.au>
Sat, 20 Jun 2020 05:17:03 +0000 (07:17 +0200)
diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c

index 9c402e679a949837720ce3f2589b0306b44b05cb..8d2468ab7bb31aae1e13e1eff902f0a2b88daa9f 100644 (file)
--- a/src/language/lexer/lexer.c
+++ b/src/language/lexer/lexer.c
@@ -1231,7 +1231,10 @@ lex_ellipsize__ (struct substring in, char *out, size_t out_size)
    int mblen;
  
    assert (out_size >= 16);
-  out_maxlen = out_size - (in.length >= out_size ? 3 : 0) - 1;
+  out_maxlen = out_size - 1;
+  if (in.length > out_maxlen - 3)
+    out_maxlen -= 3;
+
    for (out_len = 0; out_len < in.length; out_len += mblen)
      {
        if (in.string[out_len] == '\n'
@@ -1243,6 +1246,10 @@ lex_ellipsize__ (struct substring in, char *out, size_t out_size)
  
        mblen = u8_mblen (CHAR_CAST (const uint8_t *, in.string + out_len),
                          in.length - out_len);
+
+      if (mblen < 0)
+        break;
+
        if (out_len + mblen > out_maxlen)
          break;
      }
author	John Darrington <john@darrington.wattle.id.au>
	Sat, 20 Jun 2020 05:17:06 +0000 (07:17 +0200)
committer	John Darrington <john@darrington.wattle.id.au>
	Sat, 20 Jun 2020 05:17:03 +0000 (07:17 +0200)