From 41ef29132b50404f6157d83d1edf9a133e422c9f Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sun, 14 May 2017 08:08:57 +0100 Subject: Fix two potential buffer under/overruns. The one in wcwidth.c actually came up in one of my valgrind runs: if you passed it a non-null-terminated wide string (specifically, one that reaches invalid memory exactly when the length parameter runs out), it would illegally load the character beyond the end of the string before noticing that the length parameter said it shouldn't. The one in bk_man.c may well not be able to come up at all, but I spotted it in passing and I thought I might as well fix it - it makes me twitch on general principles to see any use of buf[len-1] without having checked len>0 first. --- wcwidth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'wcwidth.c') diff --git a/wcwidth.c b/wcwidth.c index bc4ae7f..e96b7a1 100644 --- a/wcwidth.c +++ b/wcwidth.c @@ -124,7 +124,7 @@ int mk_wcswidth(const wchar_t *pwcs, size_t n) { int w, width = 0; - for (;*pwcs && n-- > 0; pwcs++) + for (; n-- > 0 && *pwcs; pwcs++) if ((w = mk_wcwidth(*pwcs)) < 0) return -1; else -- cgit v1.1