Fix buffer overflow in xbm_scan (bug#47094)

* src/image.c (xbm_scan): Ensure reading a string doesn't overflow the buffer. (cherry picked from commit ebc3b25409dd614c1814a0643960452683e37aa3)
author: Alan Third <alan@idiocy.org> 2021-03-13 21:59:59 +0000
committer: Eli Zaretskii <eliz@gnu.org> 2021-03-14 07:48:47 +0200
commit: b9ec6111e294af747958c6f13150b8dc99dba6e2 (patch)
tree: 9b9bb7722eea1bdf080d2d79f2d9e832bd955335
parent: f60eb988f6dfcd590d17dd6fd3f93ee71e830391 (diff)
download: emacs-b9ec6111e294af747958c6f13150b8dc99dba6e2.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/src/image.c b/src/image.c
index cd095e0e659..e3eae5c497c 100644
--- a/src/image.c
+++ b/src/image.c
@@ -3256,6 +3256,7 @@ static int
 xbm_scan (char **s, char *end, char *sval, int *ival)
 {
   unsigned char c UNINIT;
+  char *sval_end = sval + BUFSIZ;
 
  loop:
 
@@ -3315,7 +3316,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival)
   else if (c_isalpha (c) || c == '_')
     {
       *sval++ = c;
-      while (*s < end
+      while (*s < end && sval < sval_end
 	     && (c = *(*s)++, (c_isalnum (c) || c == '_')))
 	*sval++ = c;
       *sval = 0;
author	Alan Third <alan@idiocy.org>	2021-03-13 21:59:59 +0000
committer	Eli Zaretskii <eliz@gnu.org>	2021-03-14 07:48:47 +0200
commit	b9ec6111e294af747958c6f13150b8dc99dba6e2 (patch)
tree	9b9bb7722eea1bdf080d2d79f2d9e832bd955335
parent	f60eb988f6dfcd590d17dd6fd3f93ee71e830391 (diff)
download	emacs-b9ec6111e294af747958c6f13150b8dc99dba6e2.tar.gz