From 5dac4fa094034470abd2ee135112ee4260292a6b Mon Sep 17 00:00:00 2001
From: dkf <donal.k.fellows@manchester.ac.uk>
Date: Sun, 25 Oct 2009 16:27:21 +0000
Subject: Fix [Bug 2809525] by limiting X11 color name lengths.

---
 ChangeLog          |  4 ++++
 unix/tkUnixColor.c | 23 ++++++++++++++++++-----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7f960e4..70449c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2009-10-25  Donal K. Fellows  <dkf@users.sf.net>
 
+	* unix/tkUnixColor.c (TkpGetColor): [Bug 2809525]: Impose a maximum
+	X11 color name length so that it becomes impossible to blow things up
+	that way.
+
 	* library/text.tcl: [Bug 1854913]: Stop <Delete> actions from ever
 	deleting backwards, even when the insertion cursor is "at the end" of
 	the text widget.
diff --git a/unix/tkUnixColor.c b/unix/tkUnixColor.c
index 1c8c47e..4417a62 100644
--- a/unix/tkUnixColor.c
+++ b/unix/tkUnixColor.c
@@ -9,7 +9,7 @@
  * See the file "license.terms" for information on usage and redistribution of
  * this file, and for a DISCLAIMER OF ALL WARRANTIES.
  *
- * RCS: @(#) $Id: tkUnixColor.c,v 1.6 2007/12/13 15:28:50 dgp Exp $
+ * RCS: @(#) $Id: tkUnixColor.c,v 1.7 2009/10/25 16:27:21 dkf Exp $
  */
 
 #include "tkInt.h"
@@ -128,6 +128,20 @@ TkpGetColor(
     Colormap colormap = Tk_Colormap(tkwin);
     XColor color;
     TkColor *tkColPtr;
+    char buf[100];
+    unsigned len = strlen(name);
+
+    /*
+     * Make sure that we never exceed a reasonable length of color name. A
+     * good maximum length is 99, arbitrary, but larger than any known color
+     * name. [Bug 2809525]
+     */
+
+    if (len > 99) {
+	len = 99;
+    }
+    memcpy(buf, name, len);
+    buf[len] = '\0';
 
     /*
      * Map from the name to a pixel value. Call XAllocNamedColor rather than
@@ -138,8 +152,7 @@ TkpGetColor(
     if (*name != '#') {
 	XColor screen;
 
-	if (XAllocNamedColor(display, colormap, name, &screen,
-		&color) != 0) {
+	if (XAllocNamedColor(display, colormap, buf, &screen, &color) != 0) {
 	    DeleteStressedCmap(display, colormap);
 	} else {
 	    /*
@@ -149,13 +162,13 @@ TkpGetColor(
 	     * approximation to the desired color.
 	     */
 
-	    if (XLookupColor(display, colormap, name, &color, &screen) == 0) {
+	    if (XLookupColor(display, colormap, buf, &color, &screen) == 0) {
 		return NULL;
 	    }
 	    FindClosestColor(tkwin, &screen, &color);
 	}
     } else {
-	if (XParseColor(display, colormap, name, &color) == 0) {
+	if (XParseColor(display, colormap, buf, &color) == 0) {
 	    return NULL;
 	}
 	if (XAllocColor(display, colormap, &color) != 0) {
-- 
cgit v0.12