From 1eddce14c3594fe452c2f0ca0e38fbc62e21ecd3 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] 0050-proc/escape.c: Prevent integer overflows in
 escape_str_utf8().

Simply rearrange the old comparisons. The new comparisons are safe,
because we know from previous checks that:

1/ wlen > 0

2/ my_cells < *maxcells (also: my_cells >= 0 and *maxcells > 0)

3/ len > 1

4/ my_bytes+1 < bufsize (also: my_bytes >= 0 and bufsize > 0)
---
 proc/escape.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proc/escape.c b/proc/escape.c
index 114860af..a1e1f5ef 100644
--- a/proc/escape.c
+++ b/proc/escape.c
@@ -100,7 +100,7 @@ static int escape_str_utf8(char *restrict dst, const char *restrict src, int buf
       } else {
         // multibyte - printable
         // Got space?
-        if (my_cells+wlen > *maxcells || my_bytes+1+len >= bufsize) break;
+        if (wlen > *maxcells-my_cells || len >= bufsize-(my_bytes+1)) break;
         // 0x9b is control byte for some terminals
         if (memchr(src, 0x9B, len)) {
 	  // unsafe multibyte