From 77efdb615b56e66fcdd4fc49efac37a460196fc3 Mon Sep 17 00:00:00 2001
From: John-Mark Bell <jmb@netsurf-browser.org>
Date: Sun, 11 Nov 2012 15:22:33 +0000
Subject: Fix buffer overflow in event dispatch

---
 src/core/node.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/core/node.c b/src/core/node.c
index 702a145..c7794e6 100644
--- a/src/core/node.c
+++ b/src/core/node.c
@@ -2347,13 +2347,18 @@ dom_exception _dom_node_dispatch_event(dom_event_target *et,
 	ntargets = 0;
 	ntargets_allocated = 64;
 	targets = calloc(sizeof(*targets), ntargets_allocated);
+	if (targets == NULL) {
+		/** \todo Report memory exhaustion? */
+		return DOM_NO_ERR;
+	}
 	targets[ntargets++] = (dom_event_target *)dom_node_ref(et);
 	target = target->parent;
 
 	while (target != NULL) {
 		if (ntargets == ntargets_allocated) {
 			dom_event_target **newtargets = realloc(
-				targets, ntargets_allocated * 2);
+				targets,
+				ntargets_allocated * 2 * sizeof(*targets));
 			if (newtargets == NULL)
 				goto cleanup;
 			memset(newtargets + ntargets_allocated,
-- 
cgit v1.2.3