From 88c10a50633227440660c623dc76a8f017b1e054 Mon Sep 17 00:00:00 2001
From: dkf <donal.k.fellows@manchester.ac.uk>
Date: Sun, 25 Oct 2009 17:08:27 +0000
Subject: Fix [Bug 2809525] by limiting X11 color name lengths.

---
 ChangeLog          |  6 ++++++
 unix/tkUnixColor.c | 24 ++++++++++++++++++------
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a8972c4..5c13d07 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2009-10-25  Donal K. Fellows  <dkf@users.sf.net>
+
+	* unix/tkUnixColor.c (TkpGetColor): [Bug 2809525]: Impose a maximum
+	X11 color name length so that it becomes impossible to blow things up
+	that way.
+
 2009-10-22  Donal K. Fellows  <dkf@users.sf.net>
 
 	* generic/tkText.c (Tk_TextCmd, TextEditUndo, TextEditRedo)
diff --git a/unix/tkUnixColor.c b/unix/tkUnixColor.c
index e2def60..8d80bef 100644
--- a/unix/tkUnixColor.c
+++ b/unix/tkUnixColor.c
@@ -9,7 +9,7 @@
  * See the file "license.terms" for information on usage and redistribution
  * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tkUnixColor.c,v 1.2 1998/09/14 18:23:55 stanton Exp $
+ * RCS: @(#) $Id: tkUnixColor.c,v 1.2.26.1 2009/10/25 17:08:28 dkf Exp $
  */
 
 #include <tkColor.h>
@@ -130,6 +130,20 @@ TkpGetColor(tkwin, name)
     Colormap colormap = Tk_Colormap(tkwin);
     XColor color;
     TkColor *tkColPtr;
+    char buf[100];
+    unsigned len = strlen(name);
+
+    /*
+     * Make sure that we never exceed a reasonable length of color name. A
+     * good maximum length is 99, arbitrary, but larger than any known color
+     * name. [Bug 2809525]
+     */
+
+    if (len > 99) {
+	len = 99;
+    }
+    memcpy(buf, name, len);
+    buf[len] = '\0';
 
     /*
      * Map from the name to a pixel value.  Call XAllocNamedColor rather than
@@ -140,8 +154,7 @@ TkpGetColor(tkwin, name)
     if (*name != '#') {
 	XColor screen;
 
-	if (XAllocNamedColor(display, colormap, name, &screen,
-		&color) != 0) {
+	if (XAllocNamedColor(display, colormap, buf, &screen, &color) != 0) {
 	    DeleteStressedCmap(display, colormap);
 	} else {
 	    /*
@@ -151,14 +164,13 @@ TkpGetColor(tkwin, name)
 	     * pick an approximation to the desired color.
 	     */
 
-	    if (XLookupColor(display, colormap, name, &color,
-		    &screen) == 0) {
+	    if (XLookupColor(display, colormap, buf, &color, &screen) == 0) {
 		return (TkColor *) NULL;
 	    }
 	    FindClosestColor(tkwin, &screen, &color);
 	}
     } else {
-	if (XParseColor(display, colormap, name, &color) == 0) {
+	if (XParseColor(display, colormap, buf, &color) == 0) {
 	    return (TkColor *) NULL;
 	}
 	if (XAllocColor(display, colormap, &color) != 0) {
-- 
cgit v0.12