bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#6855: 24.0.50; Bug in tool bar label handling

From: Johan Bockgård
Subject: bug#6855: 24.0.50; Bug in tool bar label handling
Date: Sat, 14 Aug 2010 14:04:25 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) 
There are some bugs in the handling of tool bar labels that can cause
Emacs to crash.



### gtkutil.c: update_frame_tool_bar ###

    char *label = SSDATA (PROP (TOOL_BAR_ITEM_LABEL));

Here we take string data out.



### keyboard.c: parse_tool_bar_item ###

      else if (EQ (key, QClabel))
        {
          /* `:label LABEL-STRING'.  */
          PROP (TOOL_BAR_ITEM_LABEL) = value;
          have_label = 1;
        }

But here we put an arbitrary object in.


...

  if (!have_label)

...
      char buf[64];
      EMACS_INT max_lbl = 2*tool_bar_max_label_size;
      Lisp_Object new_lbl;

      if (strlen (caption) < max_lbl && caption[0] != '\0')
        {
          strcpy (buf, caption);

tool-bar-max-label-size is a user variable, so this can mean a buffer
overflow.


...
      if (SCHARS (new_lbl) <= tool_bar_max_label_size)
        PROP (TOOL_BAR_ITEM_LABEL) = new_lbl;

If we came here but the branch is not taken, the label will be nil,
not a string.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]