view: fix buffer overflow when dealing with combining characters

The `cell.len` attribute refers to the number of bytes of the underlying text which are represented by this cell. The actual NUL terminated data being displayed can have a completely unrelated length. For example a NUL byte has a `cell.len` of 1, but is displayed as `cell.data = "^@"`. Because we currently have a fixed cell capacity of 16 bytes (including the terminating NUL byte) long sequences of combining characters won't be displayed correctly. See also #679
author: Marc André Tanner <mat@brain-dump.org> 2018-03-12 00:03:52 +0100
committer: Marc André Tanner <mat@brain-dump.org> 2018-03-12 00:21:45 +0100
commit: 1c4e0940938373580cf1e3d2184bae8f25259b79 (patch)
tree: 91689b8ee6785160c0631cbdaafebe7a581d884e
parent: ae6c3801292c0279a6263ce2b363d0719a0737da (diff)
download: vis-1c4e0940938373580cf1e3d2184bae8f25259b79.tar.gz
vis-1c4e0940938373580cf1e3d2184bae8f25259b79.tar.xz
1 files changed, 5 insertions, 2 deletions
diff --git a/view.c b/view.c
index 71f9fe6..e6ce97d 100644
--- a/view.c
+++ b/view.c
@@ -379,9 +379,12 @@ void view_draw(View *view) {
 				cell.width = 1;
 		}
 
-		if (cell.width == 0 && prev_cell.len + cell.len < sizeof(cell.data)) {
+		if (cell.width == 0) {
+			size_t n = strlen(prev_cell.data), i = 0;
+			while (cell.data[i] && n < sizeof(cell.data)-1)
+				prev_cell.data[n++] = cell.data[i++];
+			prev_cell.data[n] = '\0';
 			prev_cell.len += cell.len;
-			strcat(prev_cell.data, cell.data);
 		} else {
 			if (prev_cell.len && !view_addch(view, &prev_cell))
 				break;
author	Marc André Tanner <mat@brain-dump.org>	2018-03-12 00:03:52 +0100
committer	Marc André Tanner <mat@brain-dump.org>	2018-03-12 00:21:45 +0100
commit	1c4e0940938373580cf1e3d2184bae8f25259b79 (patch)
tree	91689b8ee6785160c0631cbdaafebe7a581d884e
parent	ae6c3801292c0279a6263ce2b363d0719a0737da (diff)
download	vis-1c4e0940938373580cf1e3d2184bae8f25259b79.tar.gz vis-1c4e0940938373580cf1e3d2184bae8f25259b79.tar.xz