[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
emacs-27 b9ec611: Fix buffer overflow in xbm_scan (bug#47094)
From: |
Eli Zaretskii |
Subject: |
emacs-27 b9ec611: Fix buffer overflow in xbm_scan (bug#47094) |
Date: |
Sun, 14 Mar 2021 00:51:00 -0500 (EST) |
branch: emacs-27
commit b9ec6111e294af747958c6f13150b8dc99dba6e2
Author: Alan Third <alan@idiocy.org>
Commit: Eli Zaretskii <eliz@gnu.org>
Fix buffer overflow in xbm_scan (bug#47094)
* src/image.c (xbm_scan): Ensure reading a string doesn't overflow the
buffer.
(cherry picked from commit ebc3b25409dd614c1814a0643960452683e37aa3)
---
src/image.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/image.c b/src/image.c
index cd095e0..e3eae5c 100644
--- a/src/image.c
+++ b/src/image.c
@@ -3256,6 +3256,7 @@ static int
xbm_scan (char **s, char *end, char *sval, int *ival)
{
unsigned char c UNINIT;
+ char *sval_end = sval + BUFSIZ;
loop:
@@ -3315,7 +3316,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival)
else if (c_isalpha (c) || c == '_')
{
*sval++ = c;
- while (*s < end
+ while (*s < end && sval < sval_end
&& (c = *(*s)++, (c_isalnum (c) || c == '_')))
*sval++ = c;
*sval = 0;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- emacs-27 b9ec611: Fix buffer overflow in xbm_scan (bug#47094),
Eli Zaretskii <=