From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Fri, 5 Apr 2019 11:50:44 +0200
Subject: Fix a buffer overflow vulnerability

* src/iri.c(do_conversion): Reallocate the output buffer to a larger
  size if it is already full
Upstream-Status: Backport
CVE: CVE-2019-5953
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
--- a/src/iri.c
+++ b/src/iri.c
@@ -188,11 +191,14 @@ do_conversion (const char *tocode, const char *fromcode, char const *in_org, siz
         }
       else if (errno == E2BIG) /* Output buffer full */
         {
+          logprintf (LOG_VERBOSE,
+                    _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
           tooshort++;
           done = len;
-          len = outlen = done + inlen * 2;
-          s = xrealloc (s, outlen + 1);
-          *out = s + done;
+          len = done + inlen * 2;
+          s = xrealloc (s, len + 1);
+          *out = s + done - outlen;
+          outlen += inlen * 2;
         }
       else /* Weird, we got an unspecified error */
         {
-- 
cgit v1.0-41-gc330