From a3f3fea14abbc59a2b47cae5bec6252ec3a1f8cf Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sat, 29 Apr 2017 23:35:27 -0700
Subject: [PATCH] Fix buffer overflow in make-docfile

* lib-src/make-docfile.c (scan_c_stream): Check for buffer
overflow when reading an identifier.  Use a static buffer for NAME
rather than a small dynamically-allocated buffer.
---
 lib-src/make-docfile.c | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/lib-src/make-docfile.c b/lib-src/make-docfile.c
index 53970a06238..9470bd635f5 100644
--- a/lib-src/make-docfile.c
+++ b/lib-src/make-docfile.c
@@ -845,8 +845,7 @@ scan_c_stream (FILE *infile)
       bool defvarperbufferflag = false;
       bool defvarflag = false;
       enum global_type type = INVALID;
-      static char *name;
-      static ptrdiff_t name_size;
+      static char name[sizeof input_buffer];
 
       if (c != '\n' && c != '\r')
 	{
@@ -967,22 +966,13 @@ scan_c_stream (FILE *infile)
 	      if (c < 0)
 		goto eof;
 	      input_buffer[i++] = c;
+	      if (sizeof input_buffer <= i)
+		fatal ("identifier too long");
 	      c = getc (infile);
 	    }
 	  while (! (c == ',' || c == ' ' || c == '\t'
 		    || c == '\n' || c == '\r'));
 	  input_buffer[i] = '\0';
-
-	  if (name_size <= i)
-	    {
-	      free (name);
-	      name_size = i + 1;
-	      ptrdiff_t doubled;
-	      if (! INT_MULTIPLY_WRAPV (name_size, 2, &doubled)
-		  && doubled <= SIZE_MAX)
-		name_size = doubled;
-	      name = xmalloc (name_size);
-	    }
 	  memcpy (name, input_buffer, i + 1);
 
 	  if (type == SYMBOL)
-- 
2.39.5