From a5d15e224c94d44f3cc11a802cc6c10a6086fdb4 Mon Sep 17 00:00:00 2001 From: Dmitry Podgorny Date: Sat, 17 Jul 2021 19:33:28 +0300 Subject: Fix buffer overread in _mucwin_print_mention() Offset for g_utf8_substring() is higher than the string length. We can avoid g_utf8_substring() for the tail and simply convert starting offset to a pointer. --- src/ui/mucwin.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/ui') diff --git a/src/ui/mucwin.c b/src/ui/mucwin.c index 54778acb..20d3025b 100644 --- a/src/ui/mucwin.c +++ b/src/ui/mucwin.c @@ -389,7 +389,7 @@ _mucwin_print_mention(ProfWin* window, const char* const message, const char* co while (curr) { pos = GPOINTER_TO_INT(curr->data); - char *before_str = g_utf8_substring(message, last_pos, last_pos + pos - last_pos); + char *before_str = g_utf8_substring(message, last_pos, pos); if (strncmp(before_str, "/me ", 4) == 0) { win_print_them(window, THEME_ROOMMENTION, ch, flags, ""); @@ -416,9 +416,9 @@ _mucwin_print_mention(ProfWin* window, const char* const message, const char* co glong message_len = g_utf8_strlen(message, -1); if (last_pos < message_len) { - char* rest = g_utf8_substring(message, last_pos, last_pos + message_len); + // get tail without allocating a new string + char* rest = g_utf8_offset_to_pointer(message, last_pos); win_appendln_highlight(window, THEME_ROOMMENTION, "%s", rest); - g_free(rest); } else { win_appendln_highlight(window, THEME_ROOMMENTION, ""); } -- cgit 1.4.1-2-gfad0