From: Tim Ruehsen Date: Fri, 5 Apr 2019 11:50:44 +0200 Subject: Fix a buffer overflow vulnerability Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c, https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5953 Bug-Debian: https://bugs.debian.org/926389 * src/iri.c(do_conversion): Reallocate the output buffer to a larger size if it is already full --- src/iri.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/src/iri.c +++ b/src/iri.c @@ -189,9 +189,10 @@ do_conversion (const char *tocode, const { tooshort++; done = len; - len = outlen = done + inlen * 2; - s = xrealloc (s, outlen + 1); - *out = s + done; + len = done + inlen * 2; + s = xrealloc (s, len + 1); + *out = s + done - outlen; + outlen += inlen * 2; } else /* Weird, we got an unspecified error */ {