From 7ce217bbc006a2a37e83034e654004c271269ab5 Mon Sep 17 00:00:00 2001 From: Alex Anderson Date: Thu, 7 Jun 2018 12:08:37 -0700 Subject: [PATCH] libobs: prevent crash from unbounded copy and bfree Restricts the range of the copy to count number of characters. Changes function to strip wrapping quotes as intended. --- libobs/util/cf-lexer.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libobs/util/cf-lexer.c b/libobs/util/cf-lexer.c index 8258582ce..0a8dd5c6e 100644 --- a/libobs/util/cf-lexer.c +++ b/libobs/util/cf-lexer.c @@ -76,11 +76,12 @@ char *cf_literal_to_str(const char *literal, size_t count) if (literal[0] != '\"' && literal[0] != '\'') return NULL; - str = bmalloc(count - 1); - temp_src = literal; + /* strip leading and trailing quote characters */ + str = bzalloc(--count); + temp_src = literal + 1; temp_dst = str; - while (*temp_src) { + while (*temp_src && --count > 0) { if (*temp_src == '\\') { temp_src++; cf_convert_from_escape_literal(&temp_dst, &temp_src);