diff options
| author | jan.nijtmans <nijtmans@users.sourceforge.net> | 2011-03-28 09:22:36 (GMT) |
|---|---|---|
| committer | jan.nijtmans <nijtmans@users.sourceforge.net> | 2011-03-28 09:22:36 (GMT) |
| commit | 7387fa79447f5c555210e792e3365b5044f2615f (patch) | |
| tree | cb0ff7b9ac8461c4ab3dad4e641d40ba9f4ea27f | |
| parent | 4c27d6de89b1c4914949d474c61050e8839aa150 (diff) | |
| parent | 2ddbd4ef22b8a849feab79bef67301fa85f2c5ea (diff) | |
| download | tk-7387fa79447f5c555210e792e3365b5044f2615f.zip tk-7387fa79447f5c555210e792e3365b5044f2615f.tar.gz tk-7387fa79447f5c555210e792e3365b5044f2615f.tar.bz2 | |
[Bug 3129527]: Fix buffer overflow w/ GCC 4.5 and -D_FORTIFY_SOURCE=2. One more place where this problem could appear.
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | generic/tkText.h | 2 | ||||
| -rw-r--r-- | generic/tkTextBTree.c | 12 |
3 files changed, 13 insertions, 6 deletions
@@ -1,3 +1,8 @@ +2011-03-28 Jan Nijtmans <nijtmans@users.sf.net> + + * generic/tkTextBTree.c: [Bug 3129527]: Fix buffer overflow w/ GCC 4.5 and + -D_FORTIFY_SOURCE=2. One more place where this problem could appear. + 2011-03-24 Jan Nijtmans <nijtmans@users.sf.net> * win/tkWinMenu.c: [Bug #3239768] tk8.4.19 (and later) WIN32 diff --git a/generic/tkText.h b/generic/tkText.h index da9611f..2aa80c2 100644 --- a/generic/tkText.h +++ b/generic/tkText.h @@ -170,7 +170,7 @@ typedef struct TkTextSegment { int size; /* Size of this segment (# of bytes of index * space it occupies). */ union { - char chars[4]; /* Characters that make up character info. + char chars[1]; /* Characters that make up character info. * Actual length varies to hold as many * characters as needed.*/ TkTextToggle toggle; /* Information about tag toggle. */ diff --git a/generic/tkTextBTree.c b/generic/tkTextBTree.c index ab529a7..925fcc4 100644 --- a/generic/tkTextBTree.c +++ b/generic/tkTextBTree.c @@ -1071,7 +1071,7 @@ TkBTreeInsertChars( curPtr->nextPtr = segPtr; } segPtr->size = chunkSize; - strncpy(segPtr->body.chars, string, (size_t) chunkSize); + memcpy(segPtr->body.chars, string, (size_t) chunkSize); segPtr->body.chars[chunkSize] = 0; if (eol[-1] != '\n') { @@ -4550,12 +4550,13 @@ CharSplitProc( newPtr1->typePtr = &tkTextCharType; newPtr1->nextPtr = newPtr2; newPtr1->size = index; - strncpy(newPtr1->body.chars, segPtr->body.chars, (size_t) index); + memcpy(newPtr1->body.chars, segPtr->body.chars, (size_t) index); newPtr1->body.chars[index] = 0; newPtr2->typePtr = &tkTextCharType; newPtr2->nextPtr = segPtr->nextPtr; newPtr2->size = segPtr->size - index; - strcpy(newPtr2->body.chars, segPtr->body.chars + index); + memcpy(newPtr2->body.chars, segPtr->body.chars + index, newPtr2->size); + newPtr2->body.chars[newPtr2->size] = 0; ckfree(segPtr); return newPtr1; } @@ -4595,8 +4596,9 @@ CharCleanupProc( newPtr->typePtr = &tkTextCharType; newPtr->nextPtr = segPtr2->nextPtr; newPtr->size = segPtr->size + segPtr2->size; - strcpy(newPtr->body.chars, segPtr->body.chars); - strcpy(newPtr->body.chars + segPtr->size, segPtr2->body.chars); + memcpy(newPtr->body.chars, segPtr->body.chars, segPtr->size); + memcpy(newPtr->body.chars + segPtr->size, segPtr2->body.chars, segPtr2->size); + newPtr->body.chars[newPtr->size] = 0; ckfree(segPtr); ckfree(segPtr2); return newPtr; |