[haiku-commits] haiku: hrev43419 - src/kits/interface/textview_support

  • From: mmlr@xxxxxxxx
  • To: haiku-commits@xxxxxxxxxxxxx
  • Date: Tue, 6 Dec 2011 16:02:46 +0100 (CET)

hrev43419 adds 1 changeset to branch 'master'
old head: ded69b4c3ac474489a2f3d8a9ae11c8d03453ef0
new head: fb3c47ebadc5f1e0a334efc560fc03f9213a6ca3

----------------------------------------------------------------------------

fb3c47e: Fix passing non-terminated string to font functions.
  
  The string that is built for hashing the escapements for missing
  chars was not 0 terminated, leading to accesses past the string.
  Depending on what followed an allocation that could lead to too long
  strings being sent to the app_server for evaluation (where, due to
  defensive, programming nothing bad would actually happen). In the
  unfortunate case that nothing followed the allocation (i.e. end of
  heap area), it could also lead to an application crash.
  
  Therefore ensure 0 termination of the string, check for allocation
  failure and use memcpy() instead of a for loop to copy the bytes from
  one string to the other.

                                            [ Michael Lotz <mmlr@xxxxxxxx> ]

----------------------------------------------------------------------------

Revision:    hrev43419
Commit:      fb3c47ebadc5f1e0a334efc560fc03f9213a6ca3
URL:         http://cgit.haiku-os.org/haiku/commit/?id=fb3c47e
Author:      Michael Lotz <mmlr@xxxxxxxx>
Date:        Tue Dec  6 14:46:36 2011 UTC

----------------------------------------------------------------------------

1 files changed, 9 insertions(+), 3 deletions(-)
.../interface/textview_support/WidthBuffer.cpp     |   12 +++++++++---

----------------------------------------------------------------------------

diff --git a/src/kits/interface/textview_support/WidthBuffer.cpp 
b/src/kits/interface/textview_support/WidthBuffer.cpp
index 4615259..62f835e 100644
--- a/src/kits/interface/textview_support/WidthBuffer.cpp
+++ b/src/kits/interface/textview_support/WidthBuffer.cpp
@@ -133,15 +133,21 @@ WidthBuffer::StringWidth(const char* inText, int32 
fromOffset,
                        int32 offset = textLen;
                        textLen += charLen;
                        numChars++;
-                       text = (char*)realloc(text, textLen);
-                       for (int32 x = 0; x < charLen; x++)
-                               text[offset + x] = sourceText[x];
+                       char* newText = (char*)realloc(text, textLen + 1);
+                       if (newText == NULL) {
+                               free(text);
+                               return 0;
+                       }
+
+                       text = newText;
+                       memcpy(&text[offset], sourceText, charLen);
                }
        }
 
        if (text != NULL) {
                // We've found some characters which aren't yet in the hash 
table.
                // Get their width via HashEscapements()
+               text[textLen] = 0;
                stringWidth += HashEscapements(text, numChars, textLen, index, 
inStyle);
                free(text);
        }


Other related posts: