[balsa/gtk3] Fix stack buffer overflow

From: Peter Bloomfield <PeterB src gnome org>
To: commits-list gnome org
Cc:
Subject: [balsa/gtk3] Fix stack buffer overflow
Date: Thu, 1 Sep 2011 21:42:02 +0000 (UTC)
commit 40bc9a5db5acdbc7090f554d25206320fd38f440
Author: Peter Bloomfield <PeterBloomfield bellsouth net>
Date:   Thu Sep 1 17:41:20 2011 -0400

    Fix stack buffer overflow
    
    	* libbalsa/misc.c (lb_text_attr): add gssize len argument;
    	(libbalsa_text_attr_string): pass -1;
    	(libbalsa_text_attr_file): pass len; avoid stack buffer
    	overflow.

 ChangeLog       |    7 +++++++
 libbalsa/misc.c |   33 +++++++++++++++++++--------------
 2 files changed, 26 insertions(+), 14 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 5c5fbf5..d2ca8aa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-09-01  Peter Bloomfield
+
+	* libbalsa/misc.c (lb_text_attr): add gssize len argument;
+	(libbalsa_text_attr_string): pass -1;
+	(libbalsa_text_attr_file): pass len; avoid stack buffer
+	overflow.
+
 2011-08-31  Peter Bloomfield
 
 	* libbalsa/misc.c (libbalsa_text_attr_file): use GFile methods.
diff --git a/libbalsa/misc.c b/libbalsa/misc.c
index e385597..caa6b9e 100644
--- a/libbalsa/misc.c
+++ b/libbalsa/misc.c
@@ -693,10 +693,13 @@ libbalsa_charset_button_new(void)
 
 /* Helper */
 static void
-lb_text_attr(const gchar * text, gboolean * has_esc, gboolean * has_hi_bit,
-             gboolean * has_hi_ctrl)
+lb_text_attr(const gchar * text, gssize len, gboolean * has_esc,
+             gboolean * has_hi_bit, gboolean * has_hi_ctrl)
 {
-    for (; *text; text++) {
+    if (len < 0)
+        len = strlen(text);
+
+    for (; --len >= 0; text++) {
 	guchar c = *text;
         if (c == 0x1b)
             *has_esc = TRUE;
@@ -718,7 +721,7 @@ libbalsa_text_attr_string(const gchar * string)
     gboolean has_hi_ctrl = FALSE;
     gboolean is_utf8 = TRUE;
 
-    lb_text_attr(string, &has_esc, &has_hi_bit, &has_hi_ctrl);
+    lb_text_attr(string, -1, &has_esc, &has_hi_bit, &has_hi_ctrl);
     is_utf8 = g_utf8_validate(string, -1, NULL);
 
     attr = 0;
@@ -766,23 +769,25 @@ libbalsa_text_attr_file(const gchar * filename)
 	if (!test_bits && !is_utf8)
 	    break;
 
-        new_chars[bytes] = 0;
-
         if (test_bits)
-            lb_text_attr(new_chars, &has_esc, &has_hi_bit, &has_hi_ctrl);
+            lb_text_attr(new_chars, bytes, &has_esc, &has_hi_bit,
+                         &has_hi_ctrl);
 
         if (is_utf8) {
             const gchar *end;
 
+            bytes += new_chars - buf;
             new_chars = buf;
-            if (!g_utf8_validate(buf, -1, &end)) {
-                if (g_utf8_get_char_validated(end, -1) == (gunichar) (-1))
+            if (!g_utf8_validate(buf, bytes, &end)) {
+                bytes -= (end - buf);
+                if (g_utf8_get_char_validated(end, bytes) ==
+                    (gunichar) (-1)) {
                     is_utf8 = FALSE;
-                else
-                    /* copy any remaining bytes, including the
-                     * terminating '\0', to start of buffer */
-                    while ((*new_chars = *end++) != '\0')
-                        new_chars++;
+                } else {
+                    /* copy remaining bytes to start of buffer */
+                    memmove(buf, end, bytes);
+                    new_chars += bytes;
+                }
             }
         }
     }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]