Cap VLA length in RichString wide-character functions

natoscott · claude · natoscott · commit 544880ecfc16 · 2026-05-18T10:33:40.000+10:00
Limit the variable-length array size in RichString_writeFromWide() and RichString_appendnWideColumns() to prevent stack exhaustion from processes with extremely long command lines (up to ARG_MAX ~2MB). Closes: GHSA-mjc3-mc44-c23f Reported-by: Michał Majchrowicz (AFINE Team) Reported-by: Marcin Wyczechowski (AFINE Team) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/RichString.c b/RichString.c
@@ -21,6 +21,8 @@ in the source distribution for its full text.
 
 #define charBytes(n) (sizeof(CharType) * (n))
 
+#define RICHSTRING_MAX_WIDE_LEN 0x8000
+
 static void RichString_extendLen(RichString* this, size_t len) {
    if (this->chptr == this->chstr) {
       // String is in internal buffer
@@ -101,6 +103,9 @@ static inline int RichString_writeFromWide(RichString* this, int attrs, const ch
    if (len < 1)
       return 0;
 
+   if (len > RICHSTRING_MAX_WIDE_LEN)
+      len = RICHSTRING_MAX_WIDE_LEN;
+
    wchar_t data[len];
    len = mbstowcs_nonfatal(data, data_c, len);
    if (len <= 0)
@@ -116,6 +121,9 @@ static inline int RichString_writeFromWide(RichString* this, int attrs, const ch
 }
 
 int RichString_appendnWideColumns(RichString* this, int attrs, const char* data_c, size_t len, int* columns) {
+   if (len > RICHSTRING_MAX_WIDE_LEN)
+      len = RICHSTRING_MAX_WIDE_LEN;
+
    wchar_t data[len];
    len = mbstowcs_nonfatal(data, data_c, len);
    if (len <= 0)
