fix buffer overflow in textbox when reflowing (CVE-2009-2905)

author Miroslav Lichvar <mlichvar@redhat.com>

Wed, 23 Sep 2009 12:20:45 +0000 (14:20 +0200)

committer Miroslav Lichvar <mlichvar@redhat.com>

Wed, 23 Sep 2009 12:20:45 +0000 (14:20 +0200)
author Miroslav Lichvar <mlichvar@redhat.com>
Wed, 23 Sep 2009 12:20:45 +0000 (14:20 +0200)
committer Miroslav Lichvar <mlichvar@redhat.com>
Wed, 23 Sep 2009 12:20:45 +0000 (14:20 +0200)
diff --git a/textbox.c b/textbox.c

index c9dd88d832a24d86fd7025888728d7aafeaa0a76..ec75446e0229a545d160016ab4afa06fe3b562d5 100644 (file)
--- a/textbox.c
+++ b/textbox.c
@@ -175,7 +175,7 @@ static void doReflow(const char * text, char ** resultPtr, int width,
  
      if (resultPtr) {
         /* XXX I think this will work */
-       result = malloc(strlen(text) + (strlen(text) / width) + 2);
+       result = malloc(strlen(text) + (strlen(text) / (width - 1)) + 2);
         *result = '\0';
      }
author	Miroslav Lichvar <mlichvar@redhat.com>
	Wed, 23 Sep 2009 12:20:45 +0000 (14:20 +0200)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Wed, 23 Sep 2009 12:20:45 +0000 (14:20 +0200)