[epiphany/mcatanzaro/memory-corruption] Fix memory corruption in ephy_string_shorten()




commit 486da133569ebfc436c959a7419565ab102e8525
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Fri Apr 15 18:09:46 2022 -0500

    Fix memory corruption in ephy_string_shorten()
    
    This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
    
    I got my browser stuck in a crash loop today while visiting a website
    with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
    condition in which ephy_string_shorten() is ever used. Turns out this
    commit is wrong: an ellipses is a multibyte character (three bytes in
    UTF-8) and so we're writing past the end of the buffer when calling
    strcat() here. Ooops.
    
    Shame it took nearly four years to notice and correct this.
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>

 lib/ephy-string.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
---
diff --git a/lib/ephy-string.c b/lib/ephy-string.c
index 35a148ab3..8e524d52c 100644
--- a/lib/ephy-string.c
+++ b/lib/ephy-string.c
@@ -114,11 +114,10 @@ ephy_string_shorten (char  *str,
   /* create string */
   bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
 
-  /* +1 for ellipsis, +1 for trailing NUL */
-  new_str = g_new (gchar, bytes + 1 + 1);
+  new_str = g_new (gchar, bytes + strlen ("…") + 1);
 
   strncpy (new_str, str, bytes);
-  strcat (new_str, "…");
+  strncpy (new_str + bytes, "…", strlen ("…") + 1);
 
   g_free (str);
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]