diff options
author | Milan Crha <mcrha@redhat.com> | 2019-05-14 18:27:44 -0400 |
---|---|---|
committer | Allen Winter <allen.winter@kdab.com> | 2019-05-14 18:30:37 -0400 |
commit | ac86975b2c3bdee9e4ff86826f06fd9ff06c8cf2 (patch) | |
tree | bf66a67d2bd7dd999af606174052863bdb453300 /src/libical/icalvalue.c | |
parent | 645068e8371c7e0b5f0f75c48cbf3e04ccca49ba (diff) | |
download | libical-git-ac86975b2c3bdee9e4ff86826f06fd9ff06c8cf2.tar.gz |
src/libical/icalvalue.c,src/test/regression.c - fix an overrun
in icalvalue_decode_ical_string(), with associated test
Diffstat (limited to 'src/libical/icalvalue.c')
-rw-r--r-- | src/libical/icalvalue.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/libical/icalvalue.c b/src/libical/icalvalue.c index 2ea72d4d..44541498 100644 --- a/src/libical/icalvalue.c +++ b/src/libical/icalvalue.c @@ -1511,8 +1511,8 @@ int icalvalue_decode_ical_string(const char *szText, char *szDecText, int nMaxBu if ((szText == 0) || (szDecText == 0)) return 0; - buf_sz = strlen(szText); - str_p = str = (char *)icalmemory_new_buffer(buf_sz + 1); + buf_sz = strlen(szText) + 1; + str_p = str = (char *)icalmemory_new_buffer(buf_sz); if (str_p == 0) { return 0; @@ -1525,11 +1525,14 @@ int icalvalue_decode_ical_string(const char *szText, char *szDecText, int nMaxBu } else { icalmemory_append_char(&str, &str_p, &buf_sz, *p); } + + if (str_p - str > nMaxBufferLen) + break; } icalmemory_append_char(&str, &str_p, &buf_sz, '\0'); - if ((int)strlen(str) > nMaxBufferLen) { + if ((int)strlen(str) >= nMaxBufferLen) { icalmemory_free_buffer(str); return 0; } |