From 5cebd7c4da1afea353a3baef250e31a4cf867bc5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marcin=20Cie=C5=9Blak?= Date: Sat, 30 Nov 2019 03:51:40 +0000 Subject: [PATCH] dtdocbook/instant: fix buffer overlow on German umlaut in latin-1 One-off error: Old buffer length was 6 for one character (3 * 1 + 3) We need one more byte par character in the buffer for the hex representation of it. +0 '"' +1 '\\' +2 'x' +3 'f' +4 'c' +5 '"' +6 0x0 << overflow tcl combined with RCHECK will abort because memory blocks are allocated contiguously and we overwrite the magic marker of the next block. --- cde/programs/dtdocbook/instant/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cde/programs/dtdocbook/instant/main.c b/cde/programs/dtdocbook/instant/main.c index 7dfe91c6..a3762bde 100644 --- a/cde/programs/dtdocbook/instant/main.c +++ b/cde/programs/dtdocbook/instant/main.c @@ -359,7 +359,7 @@ static int DefaultOutputString(ClientData clientData, /* leave room for worst case expansion plus quotes plus null */ pArgv = argv[1]; - stringLength = (3 * strlen(pArgv)) + 3; + stringLength = (4 * strlen(pArgv)) + 3; string = Tcl_Alloc(stringLength); memset(string, 0, stringLength); -- 2.25.1