aniani/profanity
1
0
Fork 0
mirror of https://github.com/profanity-im/profanity.git synced 2024-12-04 14:46:46 -05:00
Code

Fix buffer overread in _mucwin_print_mention()

Browse Source 
Offset for g_utf8_substring() is higher than the string length. We can
avoid g_utf8_substring() for the tail and simply convert starting offset
to a pointer.
This commit is contained in:
Dmitry Podgorny 2021-07-17 19:33:28 +03:00
parent 45fd229c11
commit a5d15e224c
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ui/mucwin.c
View File

@ -389,7 +389,7 @@ _mucwin_print_mention(ProfWin* window, const char* const message, const char* co
while (curr) { while (curr) {
pos = GPOINTER_TO_INT(curr->data); pos = GPOINTER_TO_INT(curr->data);
char *before_str = g_utf8_substring(message, last_pos, last_pos + pos - last_pos); char *before_str = g_utf8_substring(message, last_pos, pos);
if (strncmp(before_str, "/me ", 4) == 0) { if (strncmp(before_str, "/me ", 4) == 0) {
win_print_them(window, THEME_ROOMMENTION, ch, flags, ""); win_print_them(window, THEME_ROOMMENTION, ch, flags, "");
@ -416,9 +416,9 @@ _mucwin_print_mention(ProfWin* window, const char* const message, const char* co
glong message_len = g_utf8_strlen(message, -1); glong message_len = g_utf8_strlen(message, -1);
if (last_pos < message_len) { if (last_pos < message_len) {
char* rest = g_utf8_substring(message, last_pos, last_pos + message_len); // get tail without allocating a new string
char* rest = g_utf8_offset_to_pointer(message, last_pos);
win_appendln_highlight(window, THEME_ROOMMENTION, "%s", rest); win_appendln_highlight(window, THEME_ROOMMENTION, "%s", rest);
g_free(rest);
} else { } else {
win_appendln_highlight(window, THEME_ROOMMENTION, ""); win_appendln_highlight(window, THEME_ROOMMENTION, "");
} }