diff options
| author | Patrick Griffis <tingping@tingping.se> | 2015-10-30 00:57:25 -0400 |
|---|---|---|
| committer | Patrick Griffis <tingping@tingping.se> | 2015-10-30 01:22:13 -0400 |
| commit | c8539b93fe65977ee507b473e9dd62a1cc7bec53 (patch) | |
| tree | f764c526e07affd1d773f3b9e8766a2a4a0b298a | |
| parent | 1e914347d700de3d3d8f6c7947a97160bb866e51 (diff) | |
xtext: Fix overflow on long lines
xtext keeps a static buffer and uses it for various things and asserts that every text entry is < 4096. It does this check on gtk_xtext_append*() except it does the check only on the right half of text when indent is enabled. This overflow caused corruption in the xtext struct changing the url check functions making hovering with the mouse do 'undefined' things. In the long term this should be removed for a dynamically allocated buffer so no arbitrary size limit exists and text gets cut off. Fixes #1465 Fixes #1186 Fixes #1206
| -rw-r--r-- | src/fe-gtk/xtext.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/fe-gtk/xtext.c b/src/fe-gtk/xtext.c index 6692b360..1e65fb6b 100644 --- a/src/fe-gtk/xtext.c +++ b/src/fe-gtk/xtext.c @@ -4649,8 +4649,8 @@ gtk_xtext_append_indent (xtext_buffer *buf, if (right_len == -1) right_len = strlen (right_text); - if (right_len >= sizeof (buf->xtext->scratch_buffer)) - right_len = sizeof (buf->xtext->scratch_buffer) - 1; + if (left_len + right_len + 2 >= sizeof (buf->xtext->scratch_buffer)) + right_len = sizeof (buf->xtext->scratch_buffer) - left_len - 2; if (right_text[right_len-1] == '\n') right_len--; @@ -4670,6 +4670,9 @@ gtk_xtext_append_indent (xtext_buffer *buf, ent->str_len = left_len + 1 + right_len; ent->indent = (buf->indent - left_width) - buf->xtext->space_width; + /* This is copied into the scratch buffer later, double check math */ + g_assert (ent->str_len < sizeof (buf->xtext->scratch_buffer)); + if (buf->time_stamp) space = buf->xtext->stamp_width; else |