From c1ed800486473996d55768c99d2aed96ed6fd797 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sun, 4 Jan 2015 11:08:20 +0000
Subject: Ensure that mbstowcs does not overflow its buffer

Similar to one of the changes by Tim Angus in fd986da: mbstowcs' third
argument is the number of wchar_t available in dest, not the number
of bytes.

This does not appear to be exploitable, because ioquake3 does
not actually call mumble_set_identity() or mumble_set_description()
anywhere, but it might be relevant to derivatives.

Spotted via compiler warnings.
---
 src/client/libmumblelink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/client')

diff --git a/src/client/libmumblelink.c b/src/client/libmumblelink.c
index 05a24976..87b79a88 100644
--- a/src/client/libmumblelink.c
+++ b/src/client/libmumblelink.c
@@ -147,7 +147,7 @@ void mumble_set_identity(const char* identity)
 	size_t len;
 	if (!lm)
 		return;
-	len = MIN(sizeof(lm->identity), strlen(identity)+1);
+	len = MIN(sizeof(lm->identity)/sizeof(wchar_t), strlen(identity)+1);
 	mbstowcs(lm->identity, identity, len);
 }
 
@@ -165,7 +165,7 @@ void mumble_set_description(const char* description)
 	size_t len;
 	if (!lm)
 		return;
-	len = MIN(sizeof(lm->description), strlen(description)+1);
+	len = MIN(sizeof(lm->description)/sizeof(wchar_t), strlen(description)+1);
 	mbstowcs(lm->description, description, len);
 }
 
-- 
cgit