ref: bd037ab7aaf4cc516062dd1727218ac480666d45
parent: 09b3fcb1e7ec420926affc4b6959cd5d8740c02a
author: Tor Andersson <tor.andersson@artifex.com>
date: Wed Nov 16 16:12:12 EST 2022
Bug 706081: Fix off by one in size calculation.
--- a/jsvalue.c
+++ b/jsvalue.c
@@ -378,7 +378,7 @@
{js_Object *obj = jsV_newobject(J, JS_CSTRING, J->String_prototype);
size_t n = strlen(v);
- if (n < sizeof(obj->u.s.shrstr) - 1) {+ if (n < sizeof(obj->u.s.shrstr)) {obj->u.s.string = obj->u.s.shrstr;
memcpy(obj->u.s.shrstr, v, n + 1);
} else {