[epiphany/mcatanzaro/memory-corruption] Fix memory corruption in ephy_string_shorten()
- From: Marge Bot <marge-bot src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/mcatanzaro/memory-corruption] Fix memory corruption in ephy_string_shorten()
- Date: Fri, 15 Apr 2022 23:40:56 +0000 (UTC)
commit 486da133569ebfc436c959a7419565ab102e8525
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Fri Apr 15 18:09:46 2022 -0500
Fix memory corruption in ephy_string_shorten()
This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
I got my browser stuck in a crash loop today while visiting a website
with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
condition in which ephy_string_shorten() is ever used. Turns out this
commit is wrong: an ellipses is a multibyte character (three bytes in
UTF-8) and so we're writing past the end of the buffer when calling
strcat() here. Ooops.
Shame it took nearly four years to notice and correct this.
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
lib/ephy-string.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
---
diff --git a/lib/ephy-string.c b/lib/ephy-string.c
index 35a148ab3..8e524d52c 100644
--- a/lib/ephy-string.c
+++ b/lib/ephy-string.c
@@ -114,11 +114,10 @@ ephy_string_shorten (char *str,
/* create string */
bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
- /* +1 for ellipsis, +1 for trailing NUL */
- new_str = g_new (gchar, bytes + 1 + 1);
+ new_str = g_new (gchar, bytes + strlen ("…") + 1);
strncpy (new_str, str, bytes);
- strcat (new_str, "…");
+ strncpy (new_str + bytes, "…", strlen ("…") + 1);
g_free (str);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]