| blob | 114ae20599e73966900a05d6b5b506ee42415750 |
1 Subject: Remove argument limit from action routines
3 This removes a buffer overflow, if more than 9 arguments are passed to an
4 action routine.
6 SF: BUG#2074318
8 Posted here, as proposal B:
10 http://www.nedit.org/pipermail/develop/2008-August/014628.html
12 ---
14 source/interpret.c | 4 +++-
15 source/interpret.h | 1 -
16 2 files changed, 3 insertions(+), 2 deletions(-)
18 diff --quilt old/source/interpret.c new/source/interpret.c
19 --- old/source/interpret.c
20 +++ new/source/interpret.c
21 @@ -1977,7 +1977,7 @@ static int callSubroutine(void)
22 ** Call an action routine
23 */
24 if (sym->type == ACTION_ROUTINE_SYM) {
25 - String argList[MAX_ARGS];
26 + String *argList;
27 Cardinal numArgs = nArgs;
28 XKeyEvent key_event;
29 Display *disp;
30 @@ -1999,6 +1999,7 @@ static int callSubroutine(void)
31 key_event.display=disp;
32 key_event.window=key_event.root=key_event.subwindow=win;
34 + argList = (String *)XtCalloc(nArgs, sizeof(*argList));
35 /* pop arguments off the stack and put them in the argument list */
36 for (i=nArgs-1; i>=0; i--) {
37 POP_STRING(argList[i])
38 @@ -2008,6 +2009,7 @@ static int callSubroutine(void)
39 PreemptRequest = False;
40 sym->value.val.xtproc(FocusWindow->lastFocus,
41 (XEvent *)&key_event, argList, &numArgs);
42 + XtFree((char *)argList);
43 if (PC->func == fetchRetVal) {
44 return execError("%s does not return a value", sym->name);
45 }
46 diff --quilt old/source/interpret.h new/source/interpret.h
47 --- old/source/interpret.h
48 +++ new/source/interpret.h
49 @@ -31,7 +31,6 @@
50 #include "nedit.h"
51 #include "rbTree.h"
53 -#define MAX_ARGS 9 /* Maximum number of subroutine arguments */
54 #define STACK_SIZE 1024 /* Maximum stack size */
55 #define MAX_SYM_LEN 100 /* Max. symbol name length */
56 #define MACRO_EVENT_MARKER 2 /* Special value for the send_event field of