From 8ed012189029d6c2bb809677a0f8f3a1012538a8 Mon Sep 17 00:00:00 2001
From: a_kovalenko <a_kovalenko>
Date: Wed, 26 Jun 2002 22:12:43 +0000
Subject: Fixed potential buffer overflow from patch#546910

---
 ChangeLog        | 7 +++++++
 generic/tkFont.c | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c5c7363..e299722 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2002-06-26  Anton Kovalenko <a_kovalenko@users.sourceforge.net>
 
+	* generic/tkFont.c (TkTextLayoutToPostscript): fixed potential
+	buffer overflow which could be intentionally triggered from
+	within safe interpreter -- malicious applet could modify 
+	tk::psglyphs array.
+
+2002-06-26  Anton Kovalenko <a_kovalenko@users.sourceforge.net>
+
 	* tests/font.test (font-32.1): updated this test
 	to expect the new behavior of canvas postscript.
 
diff --git a/generic/tkFont.c b/generic/tkFont.c
index 90914d2..31571d1 100644
--- a/generic/tkFont.c
+++ b/generic/tkFont.c
@@ -11,7 +11,7 @@
  * See the file "license.terms" for information on usage and redistribution
  * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tkFont.c,v 1.15 2002/06/25 16:27:43 a_kovalenko Exp $
+ * RCS: @(#) $Id: tkFont.c,v 1.16 2002/06/26 22:12:43 a_kovalenko Exp $
  */
 
 #include "tkPort.h"
@@ -2827,7 +2827,7 @@ Tk_TextLayoutToPostscript(interp, layout)
 			else
 			    buf[used++] = ')';
 			buf[used++] = '/';
-			while( *glyphname ) 
+			while( (*glyphname) && (used < (MAXUSE+27))) 
 			    buf[used++] = *glyphname++ ;
 			buf[used++] = '(';
 		    }
-- 
cgit v0.12