diff options
author | dkf <donal.k.fellows@manchester.ac.uk> | 2009-10-25 17:08:27 (GMT) |
---|---|---|
committer | dkf <donal.k.fellows@manchester.ac.uk> | 2009-10-25 17:08:27 (GMT) |
commit | 88c10a50633227440660c623dc76a8f017b1e054 (patch) | |
tree | dc74f5bfaf803ea5124e2c2daf2c273fafa42b50 | |
parent | 5969910620bf508843c84476d7ccb60a0e9e8506 (diff) | |
download | tk-88c10a50633227440660c623dc76a8f017b1e054.zip tk-88c10a50633227440660c623dc76a8f017b1e054.tar.gz tk-88c10a50633227440660c623dc76a8f017b1e054.tar.bz2 |
Fix [Bug 2809525] by limiting X11 color name lengths.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | unix/tkUnixColor.c | 24 |
2 files changed, 24 insertions, 6 deletions
@@ -1,3 +1,9 @@ +2009-10-25 Donal K. Fellows <dkf@users.sf.net> + + * unix/tkUnixColor.c (TkpGetColor): [Bug 2809525]: Impose a maximum + X11 color name length so that it becomes impossible to blow things up + that way. + 2009-10-22 Donal K. Fellows <dkf@users.sf.net> * generic/tkText.c (Tk_TextCmd, TextEditUndo, TextEditRedo) diff --git a/unix/tkUnixColor.c b/unix/tkUnixColor.c index e2def60..8d80bef 100644 --- a/unix/tkUnixColor.c +++ b/unix/tkUnixColor.c @@ -9,7 +9,7 @@ * See the file "license.terms" for information on usage and redistribution * of this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tkUnixColor.c,v 1.2 1998/09/14 18:23:55 stanton Exp $ + * RCS: @(#) $Id: tkUnixColor.c,v 1.2.26.1 2009/10/25 17:08:28 dkf Exp $ */ #include <tkColor.h> @@ -130,6 +130,20 @@ TkpGetColor(tkwin, name) Colormap colormap = Tk_Colormap(tkwin); XColor color; TkColor *tkColPtr; + char buf[100]; + unsigned len = strlen(name); + + /* + * Make sure that we never exceed a reasonable length of color name. A + * good maximum length is 99, arbitrary, but larger than any known color + * name. [Bug 2809525] + */ + + if (len > 99) { + len = 99; + } + memcpy(buf, name, len); + buf[len] = '\0'; /* * Map from the name to a pixel value. Call XAllocNamedColor rather than @@ -140,8 +154,7 @@ TkpGetColor(tkwin, name) if (*name != '#') { XColor screen; - if (XAllocNamedColor(display, colormap, name, &screen, - &color) != 0) { + if (XAllocNamedColor(display, colormap, buf, &screen, &color) != 0) { DeleteStressedCmap(display, colormap); } else { /* @@ -151,14 +164,13 @@ TkpGetColor(tkwin, name) * pick an approximation to the desired color. */ - if (XLookupColor(display, colormap, name, &color, - &screen) == 0) { + if (XLookupColor(display, colormap, buf, &color, &screen) == 0) { return (TkColor *) NULL; } FindClosestColor(tkwin, &screen, &color); } } else { - if (XParseColor(display, colormap, name, &color) == 0) { + if (XParseColor(display, colormap, buf, &color) == 0) { return (TkColor *) NULL; } if (XAllocColor(display, colormap, &color) != 0) { |