Fix buffer overflow in xbm_scan (bug#47094)

* src/image.c (xbm_scan): Ensure reading a string doesn't overflow the buffer. (cherry picked from commit ebc3b25409)
2021-03-13 21:59:59 +00:00
parent f60eb988f6
commit b9ec6111e2
1 changed files with 2 additions and 1 deletions
--- a/src/image.c
+++ b/src/image.c
@@ -3256,6 +3256,7 @@ static int
 xbm_scan (char **s, char *end, char *sval, int *ival)
 {
  unsigned char c UNINIT;
+  char *sval_end = sval + BUFSIZ;

 loop:

@@ -3315,7 +3316,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival)
  else if (c_isalpha (c) || c == '_')
    {
      *sval++ = c;
-      while (*s < end
+      while (*s < end && sval < sval_end
 	     && (c = *(*s)++, (c_isalnum (c) || c == '_')))
 	*sval++ = c;
      *sval = 0;