src/libical/icalvalue.c,src/test/regression.c - fix an overrun

in icalvalue_decode_ical_string(), with associated test
author: Milan Crha <mcrha@redhat.com> 2019-05-14 18:27:44 -0400
committer: Allen Winter <allen.winter@kdab.com> 2019-05-14 18:30:37 -0400
commit: ac86975b2c3bdee9e4ff86826f06fd9ff06c8cf2 (patch)
tree: bf66a67d2bd7dd999af606174052863bdb453300 /src/libical/icalvalue.c
parent: 645068e8371c7e0b5f0f75c48cbf3e04ccca49ba (diff)
download: libical-git-ac86975b2c3bdee9e4ff86826f06fd9ff06c8cf2.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/src/libical/icalvalue.c b/src/libical/icalvalue.c
index 2ea72d4d..44541498 100644
--- a/src/libical/icalvalue.c
+++ b/src/libical/icalvalue.c
@@ -1511,8 +1511,8 @@ int icalvalue_decode_ical_string(const char *szText, char *szDecText, int nMaxBu
     if ((szText == 0) || (szDecText == 0))
         return 0;
 
-    buf_sz = strlen(szText);
-    str_p = str = (char *)icalmemory_new_buffer(buf_sz + 1);
+    buf_sz = strlen(szText) + 1;
+    str_p = str = (char *)icalmemory_new_buffer(buf_sz);
 
     if (str_p == 0) {
         return 0;
@@ -1525,11 +1525,14 @@ int icalvalue_decode_ical_string(const char *szText, char *szDecText, int nMaxBu
         } else {
             icalmemory_append_char(&str, &str_p, &buf_sz, *p);
         }
+
+        if (str_p - str > nMaxBufferLen)
+            break;
     }
 
     icalmemory_append_char(&str, &str_p, &buf_sz, '\0');
 
-    if ((int)strlen(str) > nMaxBufferLen) {
+    if ((int)strlen(str) >= nMaxBufferLen) {
         icalmemory_free_buffer(str);
         return 0;
     }
author	Milan Crha <mcrha@redhat.com>	2019-05-14 18:27:44 -0400
committer	Allen Winter <allen.winter@kdab.com>	2019-05-14 18:30:37 -0400
commit	ac86975b2c3bdee9e4ff86826f06fd9ff06c8cf2 (patch)
tree	bf66a67d2bd7dd999af606174052863bdb453300 /src/libical/icalvalue.c
parent	645068e8371c7e0b5f0f75c48cbf3e04ccca49ba (diff)
download	libical-git-ac86975b2c3bdee9e4ff86826f06fd9ff06c8cf2.tar.gz