summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authora_kovalenko <a_kovalenko>2002-06-26 22:12:43 (GMT)
committera_kovalenko <a_kovalenko>2002-06-26 22:12:43 (GMT)
commit8ed012189029d6c2bb809677a0f8f3a1012538a8 (patch)
tree54c2d6c93fcd695320e9f4ff0796e41a72a7a215
parent8007af70baf500ee3ccd58b826390de63da6f5d7 (diff)
downloadtk-8ed012189029d6c2bb809677a0f8f3a1012538a8.zip
tk-8ed012189029d6c2bb809677a0f8f3a1012538a8.tar.gz
tk-8ed012189029d6c2bb809677a0f8f3a1012538a8.tar.bz2
Fixed potential buffer overflow from patch#546910
-rw-r--r--ChangeLog7
-rw-r--r--generic/tkFont.c4
2 files changed, 9 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index c5c7363..e299722 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2002-06-26 Anton Kovalenko <a_kovalenko@users.sourceforge.net>
+ * generic/tkFont.c (TkTextLayoutToPostscript): fixed potential
+ buffer overflow which could be intentionally triggered from
+ within safe interpreter -- malicious applet could modify
+ tk::psglyphs array.
+
+2002-06-26 Anton Kovalenko <a_kovalenko@users.sourceforge.net>
+
* tests/font.test (font-32.1): updated this test
to expect the new behavior of canvas postscript.
diff --git a/generic/tkFont.c b/generic/tkFont.c
index 90914d2..31571d1 100644
--- a/generic/tkFont.c
+++ b/generic/tkFont.c
@@ -11,7 +11,7 @@
* See the file "license.terms" for information on usage and redistribution
* of this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tkFont.c,v 1.15 2002/06/25 16:27:43 a_kovalenko Exp $
+ * RCS: @(#) $Id: tkFont.c,v 1.16 2002/06/26 22:12:43 a_kovalenko Exp $
*/
#include "tkPort.h"
@@ -2827,7 +2827,7 @@ Tk_TextLayoutToPostscript(interp, layout)
else
buf[used++] = ')';
buf[used++] = '/';
- while( *glyphname )
+ while( (*glyphname) && (used < (MAXUSE+27)))
buf[used++] = *glyphname++ ;
buf[used++] = '(';
}