Fix reading past the end of an allocated buffer. (#15713)

warmenhoven · web-flow · commit ef12e4352210 · 2023-09-20T10:50:35.000-07:00
title_length is originally calculated to be the msg length, but later
if the task has a title then that is used instead, but the length is
not updated. If msg is longer than title, we read past the end of the
buffer.
diff --git a/gfx/gfx_widgets.c b/gfx/gfx_widgets.c
@@ -243,6 +243,7 @@ void gfx_widgets_msg_queue_push(
          {
             title = msg_widget->msg             = strdup(task->title);
             msg_widget->msg_new                 = strdup(title);
+            title_length                        = strlen(title);
             msg_widget->msg_len                 = title_length;
 
             if (!string_is_empty(task->error))

Original file line number	Diff line number	Diff line change
`@@ -243,6 +243,7 @@ void gfx_widgets_msg_queue_push(`
`243`	`243`	`{`
`244`	`244`	`title = msg_widget->msg = strdup(task->title);`
`245`	`245`	`msg_widget->msg_new = strdup(title);`
	`246`	`+ title_length = strlen(title);`
`246`	`247`	`msg_widget->msg_len = title_length;`
`247`	`248`
`248`	`249`	`if (!string_is_empty(task->error))`