From: Rico Tzschichholz <ricotz@ubuntu.com>
Date: Wed, 18 Oct 2023 11:06:05 +0000 (+0200)
Subject: vala: Prevent usage of strlen() on non-null-terminated string
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47be21f5d99ca583c80418b7d57495a6d2b31a5f;p=thirdparty%2Fvala.git

vala: Prevent usage of strlen() on non-null-terminated string

next_pos is not guaranteed to hold a null-terminated string.
Therefore g_str_has_prefix() can fail in strlen() and crash.

Based on patch by Daniel Kolesa

Fixes https://gitlab.gnome.org/GNOME/vala/issues/1485
---

diff --git a/vala/valamarkupreader.vala b/vala/valamarkupreader.vala
index 3ad25e045..6a290eb95 100644
--- a/vala/valamarkupreader.vala
+++ b/vala/valamarkupreader.vala
@@ -239,32 +239,34 @@ public class Vala.MarkupReader {
 				Report.error (null, "invalid UTF-8 character");
 			} else if (u == '&') {
 				char* next_pos = current + u.to_utf8 (null);
-				if (((string) next_pos).has_prefix ("amp;")) {
+				char buffer[16];
+				Memory.copy (buffer, next_pos, (end - next_pos >= buffer.length ? buffer.length - 1 : end - next_pos));
+				if (((string) buffer).has_prefix ("amp;")) {
 					content.append (((string) text_begin).substring (0, (int) (current - text_begin)));
 					content.append_c ('&');
 					current += 5;
 					text_begin = current;
-				} else if (((string) next_pos).has_prefix ("quot;")) {
+				} else if (((string) buffer).has_prefix ("quot;")) {
 					content.append (((string) text_begin).substring (0, (int) (current - text_begin)));
 					content.append_c ('"');
 					current += 6;
 					text_begin = current;
-				} else if (((string) next_pos).has_prefix ("apos;")) {
+				} else if (((string) buffer).has_prefix ("apos;")) {
 					content.append (((string) text_begin).substring (0, (int) (current - text_begin)));
 					content.append_c ('\'');
 					current += 6;
 					text_begin = current;
-				} else if (((string) next_pos).has_prefix ("lt;")) {
+				} else if (((string) buffer).has_prefix ("lt;")) {
 					content.append (((string) text_begin).substring (0, (int) (current - text_begin)));
 					content.append_c ('<');
 					current += 4;
 					text_begin = current;
-				} else if (((string) next_pos).has_prefix ("gt;")) {
+				} else if (((string) buffer).has_prefix ("gt;")) {
 					content.append (((string) text_begin).substring (0, (int) (current - text_begin)));
 					content.append_c ('>');
 					current += 4;
 					text_begin = current;
-				} else if (((string) next_pos).has_prefix ("percnt;")) {
+				} else if (((string) buffer).has_prefix ("percnt;")) {
 					content.append (((string) text_begin).substring (0, (int) (current - text_begin)));
 					content.append_c ('%');
 					current += 8;