Fix for buffer overflows identified by libgmalloc

2 files changed, 18 insertions, 10 deletions

diff --git a/fallback.cpp b/fallback.cpp
index 7e215bbe..5e4b3e1b 100644
--- a/fallback.cpp
+++ b/fallback.cpp
@@ -1503,14 +1503,20 @@ static int mk_wcwidth(wchar_t ucs)
 
 static int mk_wcswidth(const wchar_t *pwcs, size_t n)
 {
-    int w, width = 0;
-
-    for (; *pwcs && n-- > 0; pwcs++)
-        if ((w = mk_wcwidth(*pwcs)) < 0)
-            return -1;
-        else
-            width += w;
-
+    int width = 0;
+    for (size_t i=0; i < n; i++)
+    {
+        if (pwcs[i] == L'\0')
+            break;
+        
+        int w = mk_wcwidth(pwcs[i]);
+        if (w < 0)
+        {
+            width = -1;
+            break;
+        }
+        width += w;
+    }
     return width;
 }
 
diff --git a/parse_util.cpp b/parse_util.cpp
index 2f95a3e2..5d8a1b1d 100644
--- a/parse_util.cpp
+++ b/parse_util.cpp
@@ -260,8 +260,7 @@ void parse_util_cmdsubst_extent(const wchar_t *buff, size_t cursor_pos, const wc
             /* No subshell found, all done */
             break;
         }
-        
-        /* Intrepret NULL to mean the end */
+        /* Interpret NULL to mean the end */
         if (end == NULL)
         {
             end = const_cast<wchar_t *>(buff) + bufflen;
@@ -273,6 +272,9 @@ void parse_util_cmdsubst_extent(const wchar_t *buff, size_t cursor_pos, const wc
             begin++;
             ap = begin;
             bp = end;
+            /* pos is where to begin looking for the next one. But if we reached the end there's no next one. */
+            if (begin >= end)
+                break;
             pos = begin + 1;
         }
         else if (begin >= cursor)