[haiku-commits] Re: r36172 - haiku/trunk/src/kits/interface
- From: Stefano Ceccherini <stefano.ceccherini@xxxxxxxxx>
- To: haiku-commits@xxxxxxxxxxxxx
- Date: Mon, 12 Apr 2010 08:42:57 +0200
2010/4/11 <superstippi@xxxxxx>:
> Author: stippi
> Date: 2010-04-11 23:20:39 +0200 (Sun, 11 Apr 2010)
> New Revision: 36172
> Changeset: http://dev.haiku-os.org/changeset/36172/haiku
>
> Modified:
> haiku/trunk/src/kits/interface/TextInput.cpp
> Log:
> Bug found by mmlr, since the "inText" is not terminated, strcpy could
> overwrite
> a random amount of memory of the allocated "buffer". If it were terminated, it
> would overwrite one byte, since it will also terminate the destination buffer,
> which didn't contain the necessary room. Use strlcpy() instead and provide
> enough room.
>
>
> Modified: haiku/trunk/src/kits/interface/TextInput.cpp
> ===================================================================
> --- haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 20:45:23
> UTC (rev 36171)
> +++ haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 21:20:39
> UTC (rev 36172)
> @@ -207,10 +207,10 @@
> char* buffer = NULL;
>
> if (strpbrk(inText, "\r\n") && inLength <= 1024) {
> - buffer = (char*)malloc(inLength);
> + buffer = (char*)malloc(inLength + 1);
>
> if (buffer) {
> - strcpy(buffer, inText);
> + strlcpy(buffer, inText, inLength);
>
> for (int32 i = 0; i < inLength; i++) {
> if (buffer[i] == '\r' || buffer[i] == '\n')
>
Note that this code has still problems.
In case the text is longer than 1024 bytes, the CR and LF won't be
removed, and the text will be copied as-is to the destination buffer.
I guess we could simply cut the text if it's longer than 1024 (or a
different value, but still fixed).
Other related posts:
