Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 1 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 |
| 2 | |
| 3 | CVE: CVE-2022-0529 |
| 4 | Upstream-Status: Inactive-Upstream [need a new release] |
| 5 | |
| 6 | diff --git a/process.c b/process.c |
| 7 | index d2a846e..99b9c7b 100644 |
| 8 | --- a/process.c |
| 9 | +++ b/process.c |
| 10 | @@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) |
| 11 | char buf[9]; |
| 12 | char *buffer = NULL; |
| 13 | char *local_string = NULL; |
| 14 | + size_t buffer_size; |
| 15 | |
| 16 | for (wsize = 0; wide_string[wsize]; wsize++) ; |
| 17 | |
| 18 | if (max_bytes < MAX_ESCAPE_BYTES) |
| 19 | max_bytes = MAX_ESCAPE_BYTES; |
| 20 | |
| 21 | - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { |
| 22 | + buffer_size = wsize * max_bytes + 1; |
| 23 | + if ((buffer = (char *)malloc(buffer_size)) == NULL) { |
| 24 | return NULL; |
| 25 | } |
| 26 | |
| 27 | @@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) |
| 28 | /* no MB for this wide */ |
| 29 | /* use escape for wide character */ |
| 30 | char *escape_string = wide_to_escape_string(wide_string[i]); |
| 31 | - strcat(buffer, escape_string); |
| 32 | + size_t buffer_len = strlen(buffer); |
| 33 | + size_t escape_string_len = strlen(escape_string); |
| 34 | + if (buffer_len + escape_string_len + 1 > buffer_size) |
| 35 | + escape_string_len = buffer_size - buffer_len - 1; |
| 36 | + strncat(buffer, escape_string, escape_string_len); |
| 37 | free(escape_string); |
| 38 | } |
| 39 | } |