summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorPatrick Griffis <tingping@tingping.se>2015-10-30 00:57:25 -0400
committerPatrick Griffis <tingping@tingping.se>2015-10-30 01:22:13 -0400
commitc8539b93fe65977ee507b473e9dd62a1cc7bec53 (patch)
treef764c526e07affd1d773f3b9e8766a2a4a0b298a
parent1e914347d700de3d3d8f6c7947a97160bb866e51 (diff)
xtext: Fix overflow on long lines
xtext keeps a static buffer and uses it for various things
and asserts that every text entry is < 4096. It does
this check on gtk_xtext_append*() except it does the check only on
the right half of text when indent is enabled.

This overflow caused corruption in the xtext struct
changing the url check functions making hovering
with the mouse do 'undefined' things.

In the long term this should be removed for a dynamically
allocated buffer so no arbitrary size limit exists and
text gets cut off.

Fixes #1465
Fixes #1186
Fixes #1206
-rw-r--r--src/fe-gtk/xtext.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/fe-gtk/xtext.c b/src/fe-gtk/xtext.c
index 6692b360..1e65fb6b 100644
--- a/src/fe-gtk/xtext.c
+++ b/src/fe-gtk/xtext.c
@@ -4649,8 +4649,8 @@ gtk_xtext_append_indent (xtext_buffer *buf,
 	if (right_len == -1)
 		right_len = strlen (right_text);
 
-	if (right_len >= sizeof (buf->xtext->scratch_buffer))
-		right_len = sizeof (buf->xtext->scratch_buffer) - 1;
+	if (left_len + right_len + 2 >= sizeof (buf->xtext->scratch_buffer))
+		right_len = sizeof (buf->xtext->scratch_buffer) - left_len - 2;
 
 	if (right_text[right_len-1] == '\n')
 		right_len--;
@@ -4670,6 +4670,9 @@ gtk_xtext_append_indent (xtext_buffer *buf,
 	ent->str_len = left_len + 1 + right_len;
 	ent->indent = (buf->indent - left_width) - buf->xtext->space_width;
 
+	/* This is copied into the scratch buffer later, double check math */
+	g_assert (ent->str_len < sizeof (buf->xtext->scratch_buffer));
+
 	if (buf->time_stamp)
 		space = buf->xtext->stamp_width;
 	else