From 1c4e0940938373580cf1e3d2184bae8f25259b79 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marc=20Andr=C3=A9=20Tanner?= Date: Mon, 12 Mar 2018 00:03:52 +0100 Subject: [PATCH] view: fix buffer overflow when dealing with combining characters The `cell.len` attribute refers to the number of bytes of the underlying text which are represented by this cell. The actual NUL terminated data being displayed can have a completely unrelated length. For example a NUL byte has a `cell.len` of 1, but is displayed as `cell.data = "^@"`. Because we currently have a fixed cell capacity of 16 bytes (including the terminating NUL byte) long sequences of combining characters won't be displayed correctly. See also #679 --- view.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/view.c b/view.c index 71f9fe6..e6ce97d 100644 --- a/view.c +++ b/view.c @@ -379,9 +379,12 @@ void view_draw(View *view) { cell.width = 1; } - if (cell.width == 0 && prev_cell.len + cell.len < sizeof(cell.data)) { + if (cell.width == 0) { + size_t n = strlen(prev_cell.data), i = 0; + while (cell.data[i] && n < sizeof(cell.data)-1) + prev_cell.data[n++] = cell.data[i++]; + prev_cell.data[n] = '\0'; prev_cell.len += cell.len; - strcat(prev_cell.data, cell.data); } else { if (prev_cell.len && !view_addch(view, &prev_cell)) break; -- 2.11.4.GIT