From 3a7ae4b11fc04493af0a3400274c903aa79dc781 Mon Sep 17 00:00:00 2001 From: Devon Kirk Date: Thu, 18 Jun 2026 15:56:32 -0400 Subject: [PATCH] fix: replace fixed 1023-byte stack buffer with GString in main_url_handler The URL handler for passagestudy.jsp-style URLs used a fixed 1023-byte stack buffer (tmpbuf) with strncpy to extract the portion of the URL before '?'. When the URL prefix before '?' exceeded 1022 characters, strncpy would fill the buffer without null termination, and the subsequent null-byte write at tmpbuf[place - url] would write past the boundary. Replace with dynamic GString allocation via g_string_append_len. --- src/main/url.cc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/main/url.cc b/src/main/url.cc index 33f22b9ca..11e7fa5e1 100644 --- a/src/main/url.cc +++ b/src/main/url.cc @@ -886,7 +886,6 @@ gint main_url_handler(const gchar *url, gboolean clicked) // another minor nightmare: re-encode / and : in hex. gchar *place; - gchar tmpbuf[1023]; GString *tmpstr = g_string_new(NULL); place = (char *)strchr(url, '?'); // url's beginning, as-is. @@ -894,9 +893,8 @@ gint main_url_handler(const gchar *url, gboolean clicked) g_string_free(tmpstr, TRUE); return 0; } - strncpy(tmpbuf, url, (++place) - url); - tmpbuf[place - url] = '\0'; - tmpstr = g_string_append(tmpstr, tmpbuf); + ++place; + tmpstr = g_string_append_len(tmpstr, url, place - url); for (/* */; *place; ++place) { switch (*place) { case '/':