1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
CVE: CVE-2022-29536
Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Fri, 15 Apr 2022 18:09:46 -0500
Subject: [PATCH] Fix memory corruption in ephy_string_shorten()
This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
I got my browser stuck in a crash loop today while visiting a website
with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
condition in which ephy_string_shorten() is ever used. Turns out this
commit is wrong: an ellipses is a multibyte character (three bytes in
UTF-8) and so we're writing past the end of the buffer when calling
strcat() here. Ooops.
Shame it took nearly four years to notice and correct this.
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
---
lib/ephy-string.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/lib/ephy-string.c b/lib/ephy-string.c
index 35a148ab32..8e524d52ca 100644
--- a/lib/ephy-string.c
+++ b/lib/ephy-string.c
@@ -114,11 +114,10 @@ ephy_string_shorten (char *str,
/* create string */
bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
- /* +1 for ellipsis, +1 for trailing NUL */
- new_str = g_new (gchar, bytes + 1 + 1);
+ new_str = g_new (gchar, bytes + strlen ("…") + 1);
strncpy (new_str, str, bytes);
- strcat (new_str, "…");
+ strncpy (new_str + bytes, "…", strlen ("…") + 1);
g_free (str);
--
GitLab
|
