[haiku-commits] haiku: hrev43419 - src/kits/interface/textview_support
- From: mmlr@xxxxxxxx
- To: haiku-commits@xxxxxxxxxxxxx
- Date: Tue, 6 Dec 2011 16:02:46 +0100 (CET)
hrev43419 adds 1 changeset to branch 'master'
old head: ded69b4c3ac474489a2f3d8a9ae11c8d03453ef0
new head: fb3c47ebadc5f1e0a334efc560fc03f9213a6ca3
----------------------------------------------------------------------------
fb3c47e: Fix passing non-terminated string to font functions.
The string that is built for hashing the escapements for missing
chars was not 0 terminated, leading to accesses past the string.
Depending on what followed an allocation that could lead to too long
strings being sent to the app_server for evaluation (where, due to
defensive, programming nothing bad would actually happen). In the
unfortunate case that nothing followed the allocation (i.e. end of
heap area), it could also lead to an application crash.
Therefore ensure 0 termination of the string, check for allocation
failure and use memcpy() instead of a for loop to copy the bytes from
one string to the other.
[ Michael Lotz <mmlr@xxxxxxxx> ]
----------------------------------------------------------------------------
Revision: hrev43419
Commit: fb3c47ebadc5f1e0a334efc560fc03f9213a6ca3
URL: http://cgit.haiku-os.org/haiku/commit/?id=fb3c47e
Author: Michael Lotz <mmlr@xxxxxxxx>
Date: Tue Dec 6 14:46:36 2011 UTC
----------------------------------------------------------------------------
1 files changed, 9 insertions(+), 3 deletions(-)
.../interface/textview_support/WidthBuffer.cpp | 12 +++++++++---
----------------------------------------------------------------------------
diff --git a/src/kits/interface/textview_support/WidthBuffer.cpp
b/src/kits/interface/textview_support/WidthBuffer.cpp
index 4615259..62f835e 100644
--- a/src/kits/interface/textview_support/WidthBuffer.cpp
+++ b/src/kits/interface/textview_support/WidthBuffer.cpp
@@ -133,15 +133,21 @@ WidthBuffer::StringWidth(const char* inText, int32
fromOffset,
int32 offset = textLen;
textLen += charLen;
numChars++;
- text = (char*)realloc(text, textLen);
- for (int32 x = 0; x < charLen; x++)
- text[offset + x] = sourceText[x];
+ char* newText = (char*)realloc(text, textLen + 1);
+ if (newText == NULL) {
+ free(text);
+ return 0;
+ }
+
+ text = newText;
+ memcpy(&text[offset], sourceText, charLen);
}
}
if (text != NULL) {
// We've found some characters which aren't yet in the hash
table.
// Get their width via HashEscapements()
+ text[textLen] = 0;
stringWidth += HashEscapements(text, numChars, textLen, index,
inStyle);
free(text);
}
Other related posts:
