commit ad4877023146953d4daa8d91c119124c38620337
Author: Christopher Wellons <[email protected]>
AuthorDate: Fri Oct 7 11:33:10 2022 -0400
Commit: Laslo Hunhold <[email protected]>
CommitDate: Fri Oct 7 18:00:11 2022 +0200
Check for empty destination before NUL-terminating
This overflow was triggered in the second test of to_lowercase_utf8
where the destination is zero length (w->destlen == 0). `w->destlen`
would overflow by subtraction, then the subscript would overflow the
destination.
Signed-off-by: Laslo Hunhold <[email protected]>
diff --git a/src/util.c b/src/util.c
index ed893ba..2ff1b64 100644
--- a/src/util.c
+++ b/src/util.c
@@ -207,7 +207,7 @@ herodotus_writer_nul_terminate(HERODOTUS_WRITER *w)
} else { /* w->type == HERODOTUS_TYPE_UTF8 */
((char *)(w->dest))[w->first_unwritable_offset] = '\0';
}
- } else {
+ } else if (w->destlen > 0) {
/*
* In this case, there is no more space in the buffer and
* the last unwritable offset is larger than
