CVE: CVE-2022-29536 Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ] Signed-off-by: Lee Chee Yang From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Fri, 15 Apr 2022 18:09:46 -0500 Subject: [PATCH] Fix memory corruption in ephy_string_shorten() This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228. I got my browser stuck in a crash loop today while visiting a website with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only condition in which ephy_string_shorten() is ever used. Turns out this commit is wrong: an ellipses is a multibyte character (three bytes in UTF-8) and so we're writing past the end of the buffer when calling strcat() here. Ooops. Shame it took nearly four years to notice and correct this. Part-of: --- lib/ephy-string.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/ephy-string.c b/lib/ephy-string.c index 35a148ab32..8e524d52ca 100644 --- a/lib/ephy-string.c +++ b/lib/ephy-string.c @@ -114,11 +114,10 @@ ephy_string_shorten (char *str, /* create string */ bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str); - /* +1 for ellipsis, +1 for trailing NUL */ - new_str = g_new (gchar, bytes + 1 + 1); + new_str = g_new (gchar, bytes + strlen ("…") + 1); strncpy (new_str, str, bytes); - strcat (new_str, "…"); + strncpy (new_str + bytes, "…", strlen ("…") + 1); g_free (str); -- GitLab