[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#6855: 24.0.50; Bug in tool bar label handling
From: |
Johan Bockgård |
Subject: |
bug#6855: 24.0.50; Bug in tool bar label handling |
Date: |
Sat, 14 Aug 2010 14:04:25 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) |
There are some bugs in the handling of tool bar labels that can cause
Emacs to crash.
### gtkutil.c: update_frame_tool_bar ###
char *label = SSDATA (PROP (TOOL_BAR_ITEM_LABEL));
Here we take string data out.
### keyboard.c: parse_tool_bar_item ###
else if (EQ (key, QClabel))
{
/* `:label LABEL-STRING'. */
PROP (TOOL_BAR_ITEM_LABEL) = value;
have_label = 1;
}
But here we put an arbitrary object in.
...
if (!have_label)
...
char buf[64];
EMACS_INT max_lbl = 2*tool_bar_max_label_size;
Lisp_Object new_lbl;
if (strlen (caption) < max_lbl && caption[0] != '\0')
{
strcpy (buf, caption);
tool-bar-max-label-size is a user variable, so this can mean a buffer
overflow.
...
if (SCHARS (new_lbl) <= tool_bar_max_label_size)
PROP (TOOL_BAR_ITEM_LABEL) = new_lbl;
If we came here but the branch is not taken, the label will be nil,
not a string.
- bug#6855: 24.0.50; Bug in tool bar label handling,
Johan Bockgård <=