diff options
| author | dkf <donal.k.fellows@manchester.ac.uk> | 2009-10-25 17:04:26 (GMT) |
|---|---|---|
| committer | dkf <donal.k.fellows@manchester.ac.uk> | 2009-10-25 17:04:26 (GMT) |
| commit | 4b14cfef3fede5ca19f6e59027d9834e9f323f2f (patch) | |
| tree | 20df06673027a843b6c37ecf31018d7a5ad6767f | |
| parent | a1aa5db27d847d7c7421fedcc0a14a4d071f7b8e (diff) | |
| download | tk-4b14cfef3fede5ca19f6e59027d9834e9f323f2f.zip tk-4b14cfef3fede5ca19f6e59027d9834e9f323f2f.tar.gz tk-4b14cfef3fede5ca19f6e59027d9834e9f323f2f.tar.bz2 | |
Fix [Bug 2809525] by limiting X11 color name lengths.
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | unix/tkUnixColor.c | 23 |
2 files changed, 22 insertions, 5 deletions
@@ -1,5 +1,9 @@ 2009-10-25 Donal K. Fellows <dkf@users.sf.net> + * unix/tkUnixColor.c (TkpGetColor): [Bug 2809525]: Impose a maximum + X11 color name length so that it becomes impossible to blow things up + that way. + * library/text.tcl: [Bug 1854913]: Stop <Delete> actions from ever deleting backwards, even when the insertion cursor is "at the end" of the text widget. diff --git a/unix/tkUnixColor.c b/unix/tkUnixColor.c index 1c8c47e..5148b33 100644 --- a/unix/tkUnixColor.c +++ b/unix/tkUnixColor.c @@ -9,7 +9,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tkUnixColor.c,v 1.6 2007/12/13 15:28:50 dgp Exp $ + * RCS: @(#) $Id: tkUnixColor.c,v 1.6.2.1 2009/10/25 17:04:26 dkf Exp $ */ #include "tkInt.h" @@ -128,6 +128,20 @@ TkpGetColor( Colormap colormap = Tk_Colormap(tkwin); XColor color; TkColor *tkColPtr; + char buf[100]; + unsigned len = strlen(name); + + /* + * Make sure that we never exceed a reasonable length of color name. A + * good maximum length is 99, arbitrary, but larger than any known color + * name. [Bug 2809525] + */ + + if (len > 99) { + len = 99; + } + memcpy(buf, name, len); + buf[len] = '\0'; /* * Map from the name to a pixel value. Call XAllocNamedColor rather than @@ -138,8 +152,7 @@ TkpGetColor( if (*name != '#') { XColor screen; - if (XAllocNamedColor(display, colormap, name, &screen, - &color) != 0) { + if (XAllocNamedColor(display, colormap, buf, &screen, &color) != 0) { DeleteStressedCmap(display, colormap); } else { /* @@ -149,13 +162,13 @@ TkpGetColor( * approximation to the desired color. */ - if (XLookupColor(display, colormap, name, &color, &screen) == 0) { + if (XLookupColor(display, colormap, buf, &color, &screen) == 0) { return NULL; } FindClosestColor(tkwin, &screen, &color); } } else { - if (XParseColor(display, colormap, name, &color) == 0) { + if (XParseColor(display, colormap, buf, &color) == 0) { return NULL; } if (XAllocColor(display, colormap, &color) != 0) { |