Fix buffer overflow in make-docfile

* lib-src/make-docfile.c (scan_c_stream): Check for buffer
overflow when reading an identifier.  Use a static buffer for NAME
rather than a small dynamically-allocated buffer.

diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c
index 53970a06238d1bb1989661c95474eb34e7a717fa..9470bd635f5ccadbe6bb304f4d4963995e8b1a94 100644 (file)
--- a/lib-src/make-docfile.c
+++ b/lib-src/make-docfile.c
@@ -845,8 +845,7 @@ scan_c_stream (FILE *infile)
       bool defvarperbufferflag = false;
       bool defvarflag = false;
       enum global_type type = INVALID;
-      static char *name;
-      static ptrdiff_t name_size;
+      static char name[sizeof input_buffer];
 
       if (c != '\n' && c != '\r')
        {
@@ -967,22 +966,13 @@ scan_c_stream (FILE *infile)
              if (c < 0)
                goto eof;
              input_buffer[i++] = c;
+             if (sizeof input_buffer <= i)
+               fatal ("identifier too long");
              c = getc (infile);
            }
          while (! (c == ',' || c == ' ' || c == '\t'
                    || c == '\n' || c == '\r'));
          input_buffer[i] = '\0';
-
-         if (name_size <= i)
-           {
-             free (name);
-             name_size = i + 1;
-             ptrdiff_t doubled;
-             if (! INT_MULTIPLY_WRAPV (name_size, 2, &doubled)
-                 && doubled <= SIZE_MAX)
-               name_size = doubled;
-             name = xmalloc (name_size);
-           }
          memcpy (name, input_buffer, i + 1);
 
          if (type == SYMBOL)