Ensure that mbstowcs does not overflow its buffer

Similar to one of the changes by Tim Angus in fd986da: mbstowcs' third argument is the number of wchar_t available in dest, not the number of bytes. This does not appear to be exploitable, because ioquake3 does not actually call mumble_set_identity() or mumble_set_description() anywhere, but it might be relevant to derivatives. Spotted via compiler warnings.
author: Simon McVittie <smcv@debian.org> 2015-01-04 11:08:20 +0000
committer: Tim Angus <tim@ngus.net> 2015-03-17 11:39:12 +0000
commit: c1ed800486473996d55768c99d2aed96ed6fd797 (patch)
tree: f93d3e1b0cc4ed9072cea3261c269063f02f2eca /src/client
parent: a7acfa1fe1fafcbf87d161a12186ffbbb58010e0 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/client/libmumblelink.c b/src/client/libmumblelink.c
index 05a24976..87b79a88 100644
--- a/src/client/libmumblelink.c
+++ b/src/client/libmumblelink.c
@@ -147,7 +147,7 @@ void mumble_set_identity(const char* identity)
 	size_t len;
 	if (!lm)
 		return;
-	len = MIN(sizeof(lm->identity), strlen(identity)+1);
+	len = MIN(sizeof(lm->identity)/sizeof(wchar_t), strlen(identity)+1);
 	mbstowcs(lm->identity, identity, len);
 }
 
@@ -165,7 +165,7 @@ void mumble_set_description(const char* description)
 	size_t len;
 	if (!lm)
 		return;
-	len = MIN(sizeof(lm->description), strlen(description)+1);
+	len = MIN(sizeof(lm->description)/sizeof(wchar_t), strlen(description)+1);
 	mbstowcs(lm->description, description, len);
 }
author	Simon McVittie <smcv@debian.org>	2015-01-04 11:08:20 +0000
committer	Tim Angus <tim@ngus.net>	2015-03-17 11:39:12 +0000
commit	c1ed800486473996d55768c99d2aed96ed6fd797 (patch)
tree	f93d3e1b0cc4ed9072cea3261c269063f02f2eca /src/client
parent	a7acfa1fe1fafcbf87d161a12186ffbbb58010e0 (diff)