SF.net SVN: geany: [1171] trunk - Commits

9 Jan 2007

Revision: 1171
          http://svn.sourceforge.net/geany/?rev=1171&view=rev
Author:   ntrel
Date:     2007-01-09 08:53:27 -0800 (Tue, 09 Jan 2007)
Log Message:
-----------
Prevent some possible buffer overflows.
Modified Paths:
--------------
    trunk/ChangeLog
    trunk/src/sci_cb.c
    trunk/src/sciwrappers.c
    trunk/src/utils.c
Modified: trunk/ChangeLog
===================================================================

--- trunk/ChangeLog	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/ChangeLog	2007-01-09 16:53:27 UTC (rev 1171)
@@ -1,3 +1,9 @@
+2007-01-09  Nick Treleaven  nick.treleaven@btinternet.com
+
+ * src/utils.c, src/sci_cb.c, src/sciwrappers.c:
+   Prevent some possible buffer overflows.
+
+
 2007-01-08  Enrico Tröger  enrico.troeger@uvena.de
* doc/geany.docbook, src/keybindings.c, src/keybindings.h:
Modified: trunk/src/sci_cb.c
===================================================================
--- trunk/src/sci_cb.c	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/src/sci_cb.c	2007-01-09 16:53:27 UTC (rev 1171)
@@ -259,7 +259,7 @@
    		{
    			gint start, pos = SSM(sci, SCI_GETCURRENTPOS, 0, 0);
    			start = pos;
-				while (sci_get_char_at(sci, --start) != '&') ;
+				while (start > 0 && sci_get_char_at(sci, --start) != '&') ;
SSM(sci, SCI_INSERTTEXT, pos - 1, (sptr_t) nt->text);
    		}
@@ -897,7 +897,7 @@
    sci_get_text_range(sci, pos - 16, pos - 1, buf);
    // check the first 8 characters of buf for whitespace, but only in this line
    i = 14;
-	while (isalpha(buf[i])) i--;	// find pos before keyword
+	while (i >= 0 && isalpha(buf[i])) i--;	// find pos before keyword
    while (i >= 0 && buf[i] != '\n' && buf[i] != '\r') // we want to stay in this line('\n' check)
    {
    	if (! isspace(buf[i]))
@@ -1177,7 +1177,7 @@
    	x = strlen(indent);
    	// find the start of the <table tag
    	i = 1;
-		while (sci_get_char_at(sci, pos - i) != '<') i++;
+		while (i <= pos && sci_get_char_at(sci, pos - i) != '<') i++;
    	// add all non whitespace before the tag to the indent string
    	while ((pos - i) != indent_pos)
    	{
@@ -1301,12 +1301,17 @@
for (i = first_line; (i <= last_line) && (! break_loop); i++)
    {
+		gint buf_len;
+
    	line_start = sci_get_position_from_line(doc_list[idx].sci, i);
    	line_len = sci_get_line_length(doc_list[idx].sci, i);
    	x = 0;
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 255), (line_start + line_len - 1)), sel);
-		sel[MIN(255, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
while (isspace(sel[x])) x++;
@@ -1430,12 +1435,17 @@
for (i = first_line; (i <= last_line) && (! break_loop); i++)
    {
+		gint buf_len;
+
    	line_start = sci_get_position_from_line(doc_list[idx].sci, i);
    	line_len = sci_get_line_length(doc_list[idx].sci, i);
    	x = 0;
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 255), (line_start + line_len - 1)), sel);
-		sel[MIN(255, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
while (isspace(sel[x])) x++;
@@ -1616,17 +1626,18 @@
for (i = first_line; (i <= last_line) && (! break_loop); i++)
    {
+		gint buf_len;
+
    	line_start = sci_get_position_from_line(doc_list[idx].sci, i);
    	line_len = sci_get_line_length(doc_list[idx].sci, i);
    	x = 0;
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 256), (line_start + line_len - 1)), sel);
-		sel[MIN(256, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
-		/// TODO fix the above code to remove the described segfault below
-		// The following loop causes a segfault when the cursor is on the last line of doc and
-		// there are no other characters on this line and Geany was compiled with -O2, with -O0
-		// all works fine.
    	while (isspace(sel[x])) x++;
// to skip blank lines
Modified: trunk/src/sciwrappers.c
===================================================================
--- trunk/src/sciwrappers.c	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/src/sciwrappers.c	2007-01-09 16:53:27 UTC (rev 1171)
@@ -756,6 +756,7 @@
 }
+/* text will be zero terminated and must be allocated (end - start + 1) bytes */
 void sci_get_text_range(ScintillaObject *sci, gint start, gint end, gchar *text)
 {
    struct TextRange tr;
Modified: trunk/src/utils.c
===================================================================
--- trunk/src/utils.c	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/src/utils.c	2007-01-09 16:53:27 UTC (rev 1171)
@@ -470,7 +470,7 @@
    if (end < 0) end = 0;
// skip whitespaces between identifier and (
-	while (isspace(sci_get_char_at(sci, end))) end--;
+	while (end > 0 && isspace(sci_get_char_at(sci, end))) end--;
start = end;
    c = 0;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

    