From 4b81cb847647450f4bad8a0d9a278d43ebdfecc6 Mon Sep 17 00:00:00 2001 From: Denis Dzyubenko Date: Wed, 6 Oct 2010 10:31:37 +0200 Subject: Fixed a buffer overrun when pasting large data from non-Qt apps When we receive a COMPOUND_TEXT data and convert it to multi-byte, if the new length is less than the original buffer, we resize the buffer, but then we need to make sure we reset the buffer_offset variable, which is returned as a "size" of the buffer to a caller. The conversion to COMPOUND_TEXT format was totally wrong, we were using the wrong length of the input text, so the converted string was truncated. Task-number: QTBUG-8644 Reviewed-by: Bradley T. Hughes --- src/gui/kernel/qclipboard_x11.cpp | 22 +++++++++------------- src/gui/kernel/qdnd_x11.cpp | 2 +- src/gui/kernel/qmotifdnd_x11.cpp | 2 +- src/gui/kernel/qt_x11_p.h | 2 +- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/src/gui/kernel/qclipboard_x11.cpp b/src/gui/kernel/qclipboard_x11.cpp index b7ca2d4..55548ef 100644 --- a/src/gui/kernel/qclipboard_x11.cpp +++ b/src/gui/kernel/qclipboard_x11.cpp @@ -595,7 +595,7 @@ static inline int maxSelectionIncr(Display *dpy) { return XMaxRequestSize(dpy) > 65536 ? 65536*4 : XMaxRequestSize(dpy)*4 - 100; } bool QX11Data::clipboardReadProperty(Window win, Atom property, bool deleteProperty, - QByteArray *buffer, int *size, Atom *type, int *format, bool nullterm) + QByteArray *buffer, int *size, Atom *type, int *format) { int maxsize = maxSelectionIncr(display); ulong bytes_left; // bytes_after @@ -641,13 +641,13 @@ bool QX11Data::clipboardReadProperty(Window win, Atom property, bool deletePrope break; } - int newSize = proplen + (nullterm ? 1 : 0); + int newSize = proplen; buffer->resize(newSize); bool ok = (buffer->size() == newSize); VDEBUG("QClipboard: read_property(): buffer resized to %d", buffer->size()); - if (ok) { + if (ok && newSize) { // could allocate buffer while (bytes_left) { @@ -683,23 +683,19 @@ bool QX11Data::clipboardReadProperty(Window win, Atom property, bool deletePrope XTextProperty textprop; textprop.encoding = *type; textprop.format = *format; - textprop.nitems = length; + textprop.nitems = buffer_offset; textprop.value = (unsigned char *) buffer->data(); char **list_ret = 0; int count; if (XmbTextPropertyToTextList(display, &textprop, &list_ret, &count) == Success && count && list_ret) { - offset = strlen(list_ret[0]); - buffer->resize(offset + (nullterm ? 1 : 0)); + offset = buffer_offset = strlen(list_ret[0]); + buffer->resize(offset); memcpy(buffer->data(), list_ret[0], offset); } if (list_ret) XFreeStringList(list_ret); } - - // zero-terminate (for text) - if (nullterm) - buffer->data()[buffer_offset] = '\0'; } // correct size, not 0-term. @@ -742,7 +738,7 @@ QByteArray QX11Data::clipboardReadIncrementalProperty(Window win, Atom property, if (event.xproperty.atom != property || event.xproperty.state != PropertyNewValue) continue; - if (X11->clipboardReadProperty(win, property, true, &tmp_buf, &length, 0, 0, false)) { + if (X11->clipboardReadProperty(win, property, true, &tmp_buf, &length, 0, 0)) { if (length == 0) { // no more data, we're done if (nullterm) { buf.resize(offset+1); @@ -1070,7 +1066,7 @@ bool QClipboard::event(QEvent *e) QByteArray multi_data; if (req->property == XNone || !X11->clipboardReadProperty(req->requestor, req->property, false, &multi_data, - 0, &multi_type, &multi_format, 0) + 0, &multi_type, &multi_format) || multi_format != 32) { // MULTIPLE property not formatted correctly XSendEvent(dpy, req->requestor, False, NoEventMask, &event); @@ -1292,7 +1288,7 @@ QByteArray QClipboardWatcher::getDataInFormat(Atom fmtatom) const Atom type; XSelectInput(dpy, win, PropertyChangeMask); - if (X11->clipboardReadProperty(win, ATOM(_QT_SELECTION), true, &buf, 0, &type, 0, false)) { + if (X11->clipboardReadProperty(win, ATOM(_QT_SELECTION), true, &buf, 0, &type, 0)) { if (type == ATOM(INCR)) { int nbytes = buf.size() >= 4 ? *((int*)buf.data()) : 0; buf = X11->clipboardReadIncrementalProperty(win, ATOM(_QT_SELECTION), nbytes, false); diff --git a/src/gui/kernel/qdnd_x11.cpp b/src/gui/kernel/qdnd_x11.cpp index 92dd0a1..68d7688 100644 --- a/src/gui/kernel/qdnd_x11.cpp +++ b/src/gui/kernel/qdnd_x11.cpp @@ -1887,7 +1887,7 @@ static QVariant xdndObtainData(const char *format, QVariant::Type requestedType) if (got) { Atom type; - if (X11->clipboardReadProperty(tw->effectiveWinId(), ATOM(XdndSelection), true, &result, 0, &type, 0, false)) { + if (X11->clipboardReadProperty(tw->effectiveWinId(), ATOM(XdndSelection), true, &result, 0, &type, 0)) { if (type == ATOM(INCR)) { int nbytes = result.size() >= 4 ? *((int*)result.data()) : 0; result = X11->clipboardReadIncrementalProperty(tw->effectiveWinId(), ATOM(XdndSelection), nbytes, false); diff --git a/src/gui/kernel/qmotifdnd_x11.cpp b/src/gui/kernel/qmotifdnd_x11.cpp index 0a7b350..3334455 100644 --- a/src/gui/kernel/qmotifdnd_x11.cpp +++ b/src/gui/kernel/qmotifdnd_x11.cpp @@ -766,7 +766,7 @@ QVariant QX11Data::motifdndObtainData(const char *mimeType) if (got) { Atom type; - if (X11->clipboardReadProperty(tw->internalWinId(), Dnd_selection, true, &result, 0, &type, 0, false)) { + if (X11->clipboardReadProperty(tw->internalWinId(), Dnd_selection, true, &result, 0, &type, 0)) { } } diff --git a/src/gui/kernel/qt_x11_p.h b/src/gui/kernel/qt_x11_p.h index 7383382..d62d9c3 100644 --- a/src/gui/kernel/qt_x11_p.h +++ b/src/gui/kernel/qt_x11_p.h @@ -350,7 +350,7 @@ struct QX11Data // from qclipboard_x11.cpp bool clipboardWaitForEvent(Window win, int type, XEvent *event, int timeout); bool clipboardReadProperty(Window win, Atom property, bool deleteProperty, - QByteArray *buffer, int *size, Atom *type, int *format, bool nullterm); + QByteArray *buffer, int *size, Atom *type, int *format); QByteArray clipboardReadIncrementalProperty(Window win, Atom property, int nbytes, bool nullterm); // from qdnd_x11.cpp -- cgit v0.12