From 82aa3fb80eed9eb7f5b0225a89d33a08b269dd9f Mon Sep 17 00:00:00 2001
From: Adrian Johnson <ajohnson@redneon.com>
Date: Tue, 3 Jan 2023 15:08:48 +1030
Subject: Fix bug in strndup implementation

The strlen() could go past the n bytes and into a memory address we
don't have read access to.
---
 util/cairo-missing/strndup.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'util')

diff --git a/util/cairo-missing/strndup.c b/util/cairo-missing/strndup.c
index 280ea3017..049802b76 100644
--- a/util/cairo-missing/strndup.c
+++ b/util/cairo-missing/strndup.c
@@ -37,15 +37,19 @@ char *
 strndup (const char *s,
 	 size_t      n)
 {
+    const char *end;
     size_t len;
     char *sdup;
 
     if (s == NULL)
 	return NULL;
 
-    len = strlen (s);
-    if (len > n)
+    end = memchr (s, 0, n);
+    if (end)
+	len = end - s;
+    else
 	len = n;
+
     sdup = (char *) _cairo_malloc (len + 1);
     if (sdup != NULL) {
 	memcpy (sdup, s, len);
-- 
cgit v1.2.1