From b9ec6111e294af747958c6f13150b8dc99dba6e2 Mon Sep 17 00:00:00 2001 From: Alan Third Date: Sat, 13 Mar 2021 21:59:59 +0000 Subject: [PATCH] Fix buffer overflow in xbm_scan (bug#47094) * src/image.c (xbm_scan): Ensure reading a string doesn't overflow the buffer. (cherry picked from commit ebc3b25409dd614c1814a0643960452683e37aa3) --- src/image.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/image.c b/src/image.c index cd095e0e659..e3eae5c497c 100644 --- a/src/image.c +++ b/src/image.c @@ -3256,6 +3256,7 @@ static int xbm_scan (char **s, char *end, char *sval, int *ival) { unsigned char c UNINIT; + char *sval_end = sval + BUFSIZ; loop: @@ -3315,7 +3316,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival) else if (c_isalpha (c) || c == '_') { *sval++ = c; - while (*s < end + while (*s < end && sval < sval_end && (c = *(*s)++, (c_isalnum (c) || c == '_'))) *sval++ = c; *sval = 0; -- 2.39.2