From 19710f6fd09ea5c68c8535987241993b0c04d5ea Mon Sep 17 00:00:00 2001 From: glx Date: Sun, 17 Feb 2008 00:47:39 +0000 Subject: (svn r12165) -Fix [FS#1652, FS#1773]: buffer overflow when drawing scrolling news --- src/main_gui.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/main_gui.cpp b/src/main_gui.cpp index 5b443da8f..f02de6299 100644 --- a/src/main_gui.cpp +++ b/src/main_gui.cpp @@ -1668,7 +1668,7 @@ static bool DrawScrollingStatusText(const NewsItem *ni, int pos, int width) { char buf[512]; StringID str; - const char *s; + const char *s, *last; char *d; DrawPixelInfo tmp_dpi, *old_dpi; int x; @@ -1685,19 +1685,22 @@ static bool DrawScrollingStatusText(const NewsItem *ni, int pos, int width) s = buf; d = buffer; + last = lastof(buffer); for (;;) { WChar c = Utf8Consume(&s); if (c == 0) { - *d = '\0'; break; - } else if (*s == 0x0D) { + } else if (c == 0x0D) { + if (d + 4 >= last) break; d[0] = d[1] = d[2] = d[3] = ' '; d += 4; } else if (IsPrintable(c)) { + if (d + Utf8CharLen(c) >= last) break; d += Utf8Encode(d, c); } } + *d = '\0'; if (!FillDrawPixelInfo(&tmp_dpi, 141, 1, width, 11)) return true; -- cgit v1.2.3-70-g09d2