Blame SOURCES/graphviz-2.40.1-CVE-2020-18032.patch
|
 |
4839e5 |
diff --git a/lib/common/shapes.c b/lib/common/shapes.c
|
|
|
4839e5 |
index 61e4fe1..8d18502 100644
|
|
|
4839e5 |
--- a/lib/common/shapes.c
|
|
|
4839e5 |
+++ b/lib/common/shapes.c
|
|
|
4839e5 |
@@ -3545,9 +3545,10 @@ static void record_init(node_t * n)
|
|
|
4839e5 |
reclblp = ND_label(n)->text;
|
|
|
4839e5 |
len = strlen(reclblp);
|
|
|
4839e5 |
/* For some forgotten reason, an empty label is parsed into a space, so
|
|
|
4839e5 |
- * we need at least two bytes in textbuf.
|
|
|
4839e5 |
+ * we need at least two bytes in textbuf, as well as accounting for the
|
|
|
4839e5 |
+ * error path involving "\\N" below.
|
|
|
4839e5 |
*/
|
|
|
4839e5 |
- len = MAX(len, 1);
|
|
|
4839e5 |
+ len = MAX(MAX(len, 1), (int)strlen("\\N"));
|
|
|
4839e5 |
textbuf = N_NEW(len + 1, char);
|
|
|
4839e5 |
if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
|
|
|
4839e5 |
agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
|