libgrapheme

unicode string library
git clone git://git.suckless.org/libgrapheme
Log | Files | Refs | README | LICENSE
commit ad4877023146953d4daa8d91c119124c38620337
parent 4b4292a8f78eec4271213982fdddaf1c479dfe96
Author: Christopher Wellons <wellons@nullprogram.com>
Date:   Fri,  7 Oct 2022 11:33:10 -0400

Check for empty destination before NUL-terminating

This overflow was triggered in the second test of to_lowercase_utf8
where the destination is zero length (w->destlen == 0). `w->destlen`
would overflow by subtraction, then the subscript would overflow the
destination.

Signed-off-by: Laslo Hunhold <dev@frign.de>

Diffstat:

Msrc/util.c | 2+-


1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util.c b/src/util.c
@@ -207,7 +207,7 @@ herodotus_writer_nul_terminate(HERODOTUS_WRITER *w)
 		} else { /* w->type == HERODOTUS_TYPE_UTF8 */
 			((char *)(w->dest))[w->first_unwritable_offset] = '\0';
 		}
-	} else {
+	} else if (w->destlen > 0) {
 		/*
 		 * In this case, there is no more space in the buffer and
 		 * the last unwritable offset is larger than