diff options
author | Alan Third <alan@idiocy.org> | 2021-03-13 21:59:59 +0000 |
---|---|---|
committer | Alan Third <alan@idiocy.org> | 2021-03-13 22:01:31 +0000 |
commit | ebc3b25409dd614c1814a0643960452683e37aa3 (patch) | |
tree | 9d9d4dea67c6ce7cf0e28205a8801a196b7b94aa | |
parent | fbfc3bd31748015dfab9213ebedb99513a9cb2b9 (diff) | |
download | emacs-ebc3b25409dd614c1814a0643960452683e37aa3.tar.gz |
Fix buffer overflow in xbm_scan (bug#47094)
* src/image.c (xbm_scan): Ensure reading a string doesn't overflow the
buffer.
-rw-r--r-- | src/image.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/image.c b/src/image.c index 6d493f6cdd4..b85418c690d 100644 --- a/src/image.c +++ b/src/image.c @@ -3392,6 +3392,7 @@ static int xbm_scan (char **s, char *end, char *sval, int *ival) { unsigned char c UNINIT; + char *sval_end = sval + BUFSIZ; loop: @@ -3451,7 +3452,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival) else if (c_isalpha (c) || c == '_') { *sval++ = c; - while (*s < end + while (*s < end && sval < sval_end && (c = *(*s)++, (c_isalnum (c) || c == '_'))) *sval++ = c; *sval = 0; |