From c8539b93fe65977ee507b473e9dd62a1cc7bec53 Mon Sep 17 00:00:00 2001 From: Patrick Griffis Date: Fri, 30 Oct 2015 00:57:25 -0400 Subject: xtext: Fix overflow on long lines xtext keeps a static buffer and uses it for various things and asserts that every text entry is < 4096. It does this check on gtk_xtext_append*() except it does the check only on the right half of text when indent is enabled. This overflow caused corruption in the xtext struct changing the url check functions making hovering with the mouse do 'undefined' things. In the long term this should be removed for a dynamically allocated buffer so no arbitrary size limit exists and text gets cut off. Fixes #1465 Fixes #1186 Fixes #1206 --- src/fe-gtk/xtext.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/fe-gtk/xtext.c b/src/fe-gtk/xtext.c index 6692b360..1e65fb6b 100644 --- a/src/fe-gtk/xtext.c +++ b/src/fe-gtk/xtext.c @@ -4649,8 +4649,8 @@ gtk_xtext_append_indent (xtext_buffer *buf, if (right_len == -1) right_len = strlen (right_text); - if (right_len >= sizeof (buf->xtext->scratch_buffer)) - right_len = sizeof (buf->xtext->scratch_buffer) - 1; + if (left_len + right_len + 2 >= sizeof (buf->xtext->scratch_buffer)) + right_len = sizeof (buf->xtext->scratch_buffer) - left_len - 2; if (right_text[right_len-1] == '\n') right_len--; @@ -4670,6 +4670,9 @@ gtk_xtext_append_indent (xtext_buffer *buf, ent->str_len = left_len + 1 + right_len; ent->indent = (buf->indent - left_width) - buf->xtext->space_width; + /* This is copied into the scratch buffer later, double check math */ + g_assert (ent->str_len < sizeof (buf->xtext->scratch_buffer)); + if (buf->time_stamp) space = buf->xtext->stamp_width; else -- cgit 1.4.1