storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent very long language tag in libwc

Browse Source 
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32229
This commit is contained in:
Tatsuya Kinoshita
2021-03-23 01:36:46 +09:00
parent c62ea96b67
commit b9c2432101
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libwc/ucs.c
View File

@@ -29,6 +29,7 @@
#include "map/ucs_isupper.map" #include "map/ucs_isupper.map"
#include "map/ucs_case.map" #include "map/ucs_case.map"
#define MAX_TAG_LEN (8 + 1 + 8)
#define MAX_TAG_MAP 0x100 #define MAX_TAG_MAP 0x100
static int n_tag_map = 0; static int n_tag_map = 0;
static char *tag_map[ MAX_TAG_MAP ]; static char *tag_map[ MAX_TAG_MAP ];
@@ -701,11 +702,12 @@ wtf_push_ucs(Str os, wc_uint32 ucs, wc_status *st)
if (! WcOption.use_language_tag) if (! WcOption.use_language_tag)
return; return;
if (ucs == WC_C_LANGUAGE_TAG) if (ucs == WC_C_LANGUAGE_TAG)
st->tag = Strnew_size(4); st->tag = Strnew_size(MAX_TAG_LEN);
else if (ucs == WC_C_CANCEL_TAG) { else if (ucs == WC_C_CANCEL_TAG) {
st->tag = NULL; st->tag = NULL;
st->ntag = 0; st->ntag = 0;
} else if (st->tag && ucs >= WC_C_TAG_SPACE) } else if (st->tag && st->tag->length < MAX_TAG_LEN &&
ucs >= WC_C_TAG_SPACE)
Strcat_char(st->tag, (char)(ucs & 0x7f)); Strcat_char(st->tag, (char)(ucs & 0x7f));
return; return;
} }