Skip to content

Fix memory corruption in ephy_string_shorten()

Michael Catanzaro requested to merge mcatanzaro/memory-corruption into master

This reverts commit 232c6134.

I got my browser stuck in a crash loop today while visiting a website with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only condition in which ephy_string_shorten() is ever used. Turns out this commit is wrong: an ellipses is a multibyte character (three bytes in UTF-8) and so we're writing past the end of the buffer when calling strcat() here. Ooops.

Shame it took nearly four years to notice and correct this.

Edited by Michael Catanzaro

Merge request reports