From c25ce9d017f6f82ae27256039d313601735dd998 Mon Sep 17 00:00:00 2001 From: Jan D Date: Sun, 15 Aug 2010 10:13:02 +0200 Subject: [PATCH] Potential buffer overrun and uninit variable fixed, bug 6855. * keyboard.c (parse_tool_bar_item): malloc buf. Set TOOL_BAR_ITEM_LABEL to empty string if not set to new_lbl (Bug#6855). --- src/ChangeLog | 5 +++++ src/keyboard.c | 7 +++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 7c76e905c42..316487359cb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2010-08-15 Jan Djärv + + * keyboard.c (parse_tool_bar_item): malloc buf. Set TOOL_BAR_ITEM_LABEL + to empty string if not set to new_lbl (Bug#6855). + 2010-08-14 Eli Zaretskii * xterm.c (x_draw_stretch_glyph_string): diff --git a/src/keyboard.c b/src/keyboard.c index c92d359f66a..8691788f418 100644 --- a/src/keyboard.c +++ b/src/keyboard.c @@ -8328,14 +8328,14 @@ parse_tool_bar_item (Lisp_Object key, Lisp_Object item) Lisp_Object capt = PROP (TOOL_BAR_ITEM_CAPTION); const char *label = SYMBOLP (key) ? (char *) SDATA (SYMBOL_NAME (key)) : ""; const char *caption = STRINGP (capt) ? (char *) SDATA (capt) : ""; - char buf[64]; EMACS_INT max_lbl = 2*tool_bar_max_label_size; + char *buf = (char *) xmalloc (max_lbl+1); Lisp_Object new_lbl; if (strlen (caption) < max_lbl && caption[0] != '\0') { strcpy (buf, caption); - while (buf[0] != '\0' && buf[strlen (buf) -1] == '.') + while (buf[0] != '\0' && buf[strlen (buf) -1] == '.') buf[strlen (buf)-1] = '\0'; if (strlen (buf) <= max_lbl) caption = buf; @@ -8361,6 +8361,9 @@ parse_tool_bar_item (Lisp_Object key, Lisp_Object item) new_lbl = Fupcase_initials (make_string (label, strlen (label))); if (SCHARS (new_lbl) <= tool_bar_max_label_size) PROP (TOOL_BAR_ITEM_LABEL) = new_lbl; + else + PROP (TOOL_BAR_ITEM_LABEL) = make_string ("", 0); + free (buf); } /* If got a filter apply it on binding. */ -- 2.39.2