43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001
|
|
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
|
Date: Fri, 15 Apr 2022 18:09:46 -0500
|
|
Subject: [PATCH] Fix memory corruption in ephy_string_shorten()
|
|
|
|
This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
|
|
|
|
I got my browser stuck in a crash loop today while visiting a website
|
|
with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
|
|
condition in which ephy_string_shorten() is ever used. Turns out this
|
|
commit is wrong: an ellipses is a multibyte character (three bytes in
|
|
UTF-8) and so we're writing past the end of the buffer when calling
|
|
strcat() here. Ooops.
|
|
|
|
Shame it took nearly four years to notice and correct this.
|
|
|
|
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
|
|
---
|
|
lib/ephy-string.c | 5 ++---
|
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/lib/ephy-string.c b/lib/ephy-string.c
|
|
index 35a148ab3..8e524d52c 100644
|
|
--- a/lib/ephy-string.c
|
|
+++ b/lib/ephy-string.c
|
|
@@ -114,11 +114,10 @@ ephy_string_shorten (char *str,
|
|
/* create string */
|
|
bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
|
|
|
|
- /* +1 for ellipsis, +1 for trailing NUL */
|
|
- new_str = g_new (gchar, bytes + 1 + 1);
|
|
+ new_str = g_new (gchar, bytes + strlen ("…") + 1);
|
|
|
|
strncpy (new_str, str, bytes);
|
|
- strcat (new_str, "…");
|
|
+ strncpy (new_str + bytes, "…", strlen ("…") + 1);
|
|
|
|
g_free (str);
|
|
|
|
--
|
|
GitLab
|
|
|