1*4882a593Smuzhiyunhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 2*4882a593Smuzhiyun 3*4882a593SmuzhiyunCVE: CVE-2022-0529 4*4882a593SmuzhiyunUpstream-Status: Inactive-Upstream [need a new release] 5*4882a593Smuzhiyun 6*4882a593Smuzhiyundiff --git a/process.c b/process.c 7*4882a593Smuzhiyunindex d2a846e..99b9c7b 100644 8*4882a593Smuzhiyun--- a/process.c 9*4882a593Smuzhiyun+++ b/process.c 10*4882a593Smuzhiyun@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) 11*4882a593Smuzhiyun char buf[9]; 12*4882a593Smuzhiyun char *buffer = NULL; 13*4882a593Smuzhiyun char *local_string = NULL; 14*4882a593Smuzhiyun+ size_t buffer_size; 15*4882a593Smuzhiyun 16*4882a593Smuzhiyun for (wsize = 0; wide_string[wsize]; wsize++) ; 17*4882a593Smuzhiyun 18*4882a593Smuzhiyun if (max_bytes < MAX_ESCAPE_BYTES) 19*4882a593Smuzhiyun max_bytes = MAX_ESCAPE_BYTES; 20*4882a593Smuzhiyun 21*4882a593Smuzhiyun- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { 22*4882a593Smuzhiyun+ buffer_size = wsize * max_bytes + 1; 23*4882a593Smuzhiyun+ if ((buffer = (char *)malloc(buffer_size)) == NULL) { 24*4882a593Smuzhiyun return NULL; 25*4882a593Smuzhiyun } 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) 28*4882a593Smuzhiyun /* no MB for this wide */ 29*4882a593Smuzhiyun /* use escape for wide character */ 30*4882a593Smuzhiyun char *escape_string = wide_to_escape_string(wide_string[i]); 31*4882a593Smuzhiyun- strcat(buffer, escape_string); 32*4882a593Smuzhiyun+ size_t buffer_len = strlen(buffer); 33*4882a593Smuzhiyun+ size_t escape_string_len = strlen(escape_string); 34*4882a593Smuzhiyun+ if (buffer_len + escape_string_len + 1 > buffer_size) 35*4882a593Smuzhiyun+ escape_string_len = buffer_size - buffer_len - 1; 36*4882a593Smuzhiyun+ strncat(buffer, escape_string, escape_string_len); 37*4882a593Smuzhiyun free(escape_string); 38*4882a593Smuzhiyun } 39*4882a593Smuzhiyun } 40