From 50557a4f633810caa9ccf7841957a57f3e7c7d60 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 2 Aug 2016 11:10:45 +0200 Subject: [PATCH 1/2] Fix static buffer overrrun (issue #443) result[6] is a fixed array of size 6, but in the process of copying data into it, we clobber the last allocated byte. Simplify some of the code by not calling redundant functions. --- src/language.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/language.c b/src/language.c index 4e0b98e..c67d794 100644 --- a/src/language.c +++ b/src/language.c @@ -601,7 +601,6 @@ tmbstr tidyNormalizedLocaleName( ctmbstr locale ) uint i; uint len; static char result[6] = "xx_yy"; - char character[1]; tmbstr search = strdup(locale); search = TY_(tmbstrtolower)(search); @@ -622,27 +621,28 @@ tmbstr tidyNormalizedLocaleName( ctmbstr locale ) junk language that doesn't exist and won't be set. */ len = strlen( search ); - len = len <= 5 ? len : 5; + len = ( len <= 5 ? len : 5 ); - for ( i = 0; i <= len; i++ ) + for ( i = 0; i < len; i++ ) { if ( i == 2 ) { /* Either terminate the string or ensure there's an underscore */ - if (strlen( search) >= 5) - character[0] = '_'; - else - character[0] = '\0'; - strncpy( result + i, character, 1 ); + if (len == 5) { + result[i] = '_'; + } + else { + result[i] = '\0'; + break; /* no need to copy after null */ + } } else { - strncpy( result + i, search + i, 1); - result[i] = tolower( result[i] ); + result[i] = tolower( search[i] ); } } - if ( search ) free( search ); + free( search ); return result; } From d2fc25259859abd8c7d0e29dd23e790d48167a2c Mon Sep 17 00:00:00 2001 From: Geoff McLane Date: Thu, 4 Aug 2016 15:54:14 +0200 Subject: [PATCH 2/2] Issue #443, merge #445 - Bump to 5.3.9 for this fix --- version.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.txt b/version.txt index 0b34ced..c9a735c 100644 --- a/version.txt +++ b/version.txt @@ -1,2 +1,2 @@ -5.3.8 -2016.07.29 +5.3.9 +2016.08.04