From 06a17431086a4c08e2111ef5942d49759f7b3687 Mon Sep 17 00:00:00 2001 From: "jan.nijtmans" Date: Wed, 21 Mar 2012 22:17:23 +0000 Subject: [Bug 2809525] Abort on overlong color name --- ChangeLog | 5 +++ generic/tkColor.c | 94 +++++++++++++++++++++++++++++------------------------- unix/tkUnixColor.c | 23 ++++--------- 3 files changed, 62 insertions(+), 60 deletions(-) diff --git a/ChangeLog b/ChangeLog index f98ff7f..1cbf1e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2012-03-21 Jan Nijtmans + + * generic/tkColor.c: [Bug 2809525] Abort on overlong color name. + * unix/tkUnixColor.c: + 2012-03-18 Jan Nijtmans * xlib/xcolors.c: [RFE 3503317]: XParseColor speedup diff --git a/generic/tkColor.c b/generic/tkColor.c index edd8509..5866dfd 100644 --- a/generic/tkColor.c +++ b/generic/tkColor.c @@ -814,55 +814,63 @@ TkDebugColor(tkwin, name) /* This function is not necessary for Win32, * since XParseColor already does the right thing */ Status -TkParseColor(display, map, spec, colorPtr) +TkParseColor(display, map, name, color) Display * display; /* The display */ Colormap map; /* Color map */ - CONST char* spec; /* String to be parsed */ - XColor * colorPtr; + CONST char* name; /* String to be parsed */ + XColor * color; { - if (*spec == '#') { - char buf[14]; - buf[0] = '#'; buf[13] = '\0'; - if (!*(++spec) || !*(++spec) || !*(++spec)) { - /* Not at least 3 hex digits, so invalid */ + if (*name == '#') { + char buf[14]; + buf[0] = '#'; buf[13] = '\0'; + if (!*(++name) || !*(++name) || !*(++name)) { + /* Not at least 3 hex digits, so invalid */ return 0; - } else if (!*(++spec)) { - /* Exactly 3 hex digits */ - buf[9] = buf[10] = buf[11] = buf[12] = *(--spec); - buf[5] = buf[6] = buf[7] = buf[8] = *(--spec); - buf[1] = buf[2] = buf[3] = buf[4] = *(--spec); - spec = buf; - } else if (!*(++spec) || !*(++spec)) { - /* Not at least 6 hex digits, so invalid */ - return 0; - } else if (!*(++spec)) { - /* Exactly 6 hex digits */ - buf[10] = buf[12] = *(--spec); - buf[9] = buf[11] = *(--spec); - buf[6] = buf[8] = *(--spec); - buf[5] = buf[7] = *(--spec); - buf[2] = buf[4] = *(--spec); - buf[1] = buf[3] = *(--spec); - spec = buf; - } else if (!*(++spec) || !*(++spec)) { - /* Not at least 9 hex digits, so invalid */ - return 0; - } else if (!*(++spec)) { - /* Exactly 9 hex digits */ - buf[11] = *(--spec); - buf[10] = *(--spec); - buf[9] = buf[12] = *(--spec); - buf[7] = *(--spec); - buf[6] = *(--spec); - buf[5] = buf[8] = *(--spec); - buf[3] = *(--spec); - buf[2] = *(--spec); - buf[1] = buf[4] = *(--spec); - spec = buf; + } else if (!*(++name)) { + /* Exactly 3 hex digits */ + buf[9] = buf[10] = buf[11] = buf[12] = *(--name); + buf[5] = buf[6] = buf[7] = buf[8] = *(--name); + buf[1] = buf[2] = buf[3] = buf[4] = *(--name); + name = buf; + } else if (!*(++name) || !*(++name)) { + /* Not at least 6 hex digits, so invalid */ + return 0; + } else if (!*(++name)) { + /* Exactly 6 hex digits */ + buf[10] = buf[12] = *(--name); + buf[9] = buf[11] = *(--name); + buf[6] = buf[8] = *(--name); + buf[5] = buf[7] = *(--name); + buf[2] = buf[4] = *(--name); + buf[1] = buf[3] = *(--name); + name = buf; + } else if (!*(++name) || !*(++name)) { + /* Not at least 9 hex digits, so invalid */ + return 0; + } else if (!*(++name)) { + /* Exactly 9 hex digits */ + buf[11] = *(--name); + buf[10] = *(--name); + buf[9] = buf[12] = *(--name); + buf[7] = *(--name); + buf[6] = *(--name); + buf[5] = buf[8] = *(--name); + buf[3] = *(--name); + buf[2] = *(--name); + buf[1] = buf[4] = *(--name); + name = buf; + } else if (!*(++name) || !*(++name) || *(++name)) { + /* Not exactly 12 hex digits, so invalid */ + return 0; } else { - spec -= 10; + name -= 13; + } + } else { + if (strlen(name) > 99) { + /* Don't bother to parse this. [Bug 2809525]*/ + return 0; } } - return XParseColor(display, map, spec, colorPtr); + return XParseColor(display, map, name, color); } #endif /* __WIN32__ */ diff --git a/unix/tkUnixColor.c b/unix/tkUnixColor.c index aebbbca..722dd06 100644 --- a/unix/tkUnixColor.c +++ b/unix/tkUnixColor.c @@ -128,20 +128,6 @@ TkpGetColor(tkwin, name) Colormap colormap = Tk_Colormap(tkwin); XColor color; TkColor *tkColPtr; - char buf[100]; - unsigned len = strlen(name); - - /* - * Make sure that we never exceed a reasonable length of color name. A - * good maximum length is 99, arbitrary, but larger than any known color - * name. [Bug 2809525] - */ - - if (len > 99) { - len = 99; - } - memcpy(buf, name, len); - buf[len] = '\0'; /* * Map from the name to a pixel value. Call XAllocNamedColor rather than @@ -152,7 +138,10 @@ TkpGetColor(tkwin, name) if (*name != '#') { XColor screen; - if (XAllocNamedColor(display, colormap, buf, &screen, &color) != 0) { + if (strlen(name) > 99) { + /* Don't bother to parse this. [Bug 2809525]*/ + return (TkColor *) NULL; + } else if (XAllocNamedColor(display, colormap, name, &screen, &color) != 0) { DeleteStressedCmap(display, colormap); } else { /* @@ -162,13 +151,13 @@ TkpGetColor(tkwin, name) * pick an approximation to the desired color. */ - if (XLookupColor(display, colormap, buf, &color, &screen) == 0) { + if (XLookupColor(display, colormap, name, &color, &screen) == 0) { return (TkColor *) NULL; } FindClosestColor(tkwin, &screen, &color); } } else { - if (TkParseColor(display, colormap, buf, &color) == 0) { + if (TkParseColor(display, colormap, name, &color) == 0) { return (TkColor *) NULL; } if (XAllocColor(display, colormap, &color) != 0) { -- cgit v0.12