From e84caa54f2e93849b04b86b8cc1e1c73208a451a Mon Sep 17 00:00:00 2001
From: John Darrington <john@darrington.wattle.id.au>
Date: Sat, 20 Jun 2020 07:17:06 +0200
Subject: [PATCH] Fix buffer overflow in lex_ellipsize__

Reported by: Andrea Fioraldi

Fixes bug: #58586
---
 src/language/lexer/lexer.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c
index 9c402e679a..8d2468ab7b 100644
--- a/src/language/lexer/lexer.c
+++ b/src/language/lexer/lexer.c
@@ -1231,7 +1231,10 @@ lex_ellipsize__ (struct substring in, char *out, size_t out_size)
   int mblen;
 
   assert (out_size >= 16);
-  out_maxlen = out_size - (in.length >= out_size ? 3 : 0) - 1;
+  out_maxlen = out_size - 1;
+  if (in.length > out_maxlen - 3)
+    out_maxlen -= 3;
+
   for (out_len = 0; out_len < in.length; out_len += mblen)
     {
       if (in.string[out_len] == '\n'
@@ -1243,6 +1246,10 @@ lex_ellipsize__ (struct substring in, char *out, size_t out_size)
 
       mblen = u8_mblen (CHAR_CAST (const uint8_t *, in.string + out_len),
                         in.length - out_len);
+
+      if (mblen < 0)
+        break;
+
       if (out_len + mblen > out_maxlen)
         break;
     }
-- 
2.30.2