Browse Source

dtdocbook/instant: fix buffer overlow on German umlaut in latin-1

One-off error:

Old buffer length was 6 for one character (3 * 1 + 3)
We need one more byte par character in the buffer for
the hex representation of it.

+0 '"'
+1 '\\'
+2 'x'
+3 'f'
+4 'c'
+5 '"'
+6 0x0 << overflow

tcl combined with RCHECK will abort because memory blocks
are allocated contiguously and we overwrite the magic marker
of the next block.
Marcin Cieślak 4 years ago
parent
commit
5cebd7c4da
1 changed files with 1 additions and 1 deletions
  1. 1 1
      cde/programs/dtdocbook/instant/main.c

+ 1 - 1
cde/programs/dtdocbook/instant/main.c

@@ -359,7 +359,7 @@ static int DefaultOutputString(ClientData clientData,
 
     /* leave room for worst case expansion plus quotes plus null */
     pArgv = argv[1];
-    stringLength = (3 * strlen(pArgv)) + 3;
+    stringLength = (4 * strlen(pArgv)) + 3;
 
     string = Tcl_Alloc(stringLength);
     memset(string, 0, stringLength);