From 573be47177a629c6ca1d806506d477e8727dd923 Mon Sep 17 00:00:00 2001
From: century6 <zhangqiumiao1@huawei.com>
Date: Tue, 29 Aug 2023 14:31:22 +0800
Subject: [PATCH] dp.h: check _ucs2size in format_ucs2()

When memcpy() is called in format_ucs2(), the value of ucs2size - sizeof(uint16_t) is not checked. It may result in out-of-bounds writing due to integer underflow.

Signed-off-by: century6 <zhangqiumiao1@huawei.com>
---
 src/dp.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dp.h b/src/dp.h
index 8290cc17..2a7b231d 100644
--- a/src/dp.h
+++ b/src/dp.h
@@ -123,7 +123,7 @@ format_vendor_helper(unsigned char *buf, size_t size, char *label,
 		uint16_t *_ucs2buf;					\
 		uint32_t _ucs2size = sizeof(uint16_t) * len;		\
 		_ucs2buf = alloca(_ucs2size);				\
-		if (_ucs2buf == NULL)					\
+		if (_ucs2buf == NULL || _ucs2size < sizeof(uint16_t))	\
 			return -1;					\
 		memset(_ucs2buf, '\0', _ucs2size);			\
 		memcpy(_ucs2buf, str, _ucs2size - sizeof(uint16_t));	\