Fix reading past the end of an allocated buffer. (#15713)

title_length is originally calculated to be the msg length, but later if the task has a title then that is used instead, but the length is not updated. If msg is longer than title, we read past the end of the buffer.
libretro · Sep 20, 2023 · ef12e43 · ef12e43
1 parent f33f5e2
commit ef12e43
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/gfx/gfx_widgets.c b/gfx/gfx_widgets.c
@@ -243,6 +243,7 @@ void gfx_widgets_msg_queue_push(
          {
             title = msg_widget->msg             = strdup(task->title);
             msg_widget->msg_new                 = strdup(title);
+            title_length                        = strlen(title);
             msg_widget->msg_len                 = title_length;
 
             if (!string_is_empty(task->error))