diff options
| author | Alan Third | 2021-03-13 21:59:59 +0000 |
|---|---|---|
| committer | Eli Zaretskii | 2021-03-14 07:48:47 +0200 |
| commit | b9ec6111e294af747958c6f13150b8dc99dba6e2 (patch) | |
| tree | 9b9bb7722eea1bdf080d2d79f2d9e832bd955335 /src | |
| parent | f60eb988f6dfcd590d17dd6fd3f93ee71e830391 (diff) | |
| download | emacs-b9ec6111e294af747958c6f13150b8dc99dba6e2.tar.gz emacs-b9ec6111e294af747958c6f13150b8dc99dba6e2.zip | |
Fix buffer overflow in xbm_scan (bug#47094)
* src/image.c (xbm_scan): Ensure reading a string doesn't overflow the
buffer.
(cherry picked from commit ebc3b25409dd614c1814a0643960452683e37aa3)
Diffstat (limited to 'src')
| -rw-r--r-- | src/image.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/image.c b/src/image.c index cd095e0e659..e3eae5c497c 100644 --- a/src/image.c +++ b/src/image.c | |||
| @@ -3256,6 +3256,7 @@ static int | |||
| 3256 | xbm_scan (char **s, char *end, char *sval, int *ival) | 3256 | xbm_scan (char **s, char *end, char *sval, int *ival) |
| 3257 | { | 3257 | { |
| 3258 | unsigned char c UNINIT; | 3258 | unsigned char c UNINIT; |
| 3259 | char *sval_end = sval + BUFSIZ; | ||
| 3259 | 3260 | ||
| 3260 | loop: | 3261 | loop: |
| 3261 | 3262 | ||
| @@ -3315,7 +3316,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival) | |||
| 3315 | else if (c_isalpha (c) || c == '_') | 3316 | else if (c_isalpha (c) || c == '_') |
| 3316 | { | 3317 | { |
| 3317 | *sval++ = c; | 3318 | *sval++ = c; |
| 3318 | while (*s < end | 3319 | while (*s < end && sval < sval_end |
| 3319 | && (c = *(*s)++, (c_isalnum (c) || c == '_'))) | 3320 | && (c = *(*s)++, (c_isalnum (c) || c == '_'))) |
| 3320 | *sval++ = c; | 3321 | *sval++ = c; |
| 3321 | *sval = 0; | 3322 | *sval = 0; |