SF.net SVN: geany: [1171] trunk

ntrel at users.sourceforge.net ntrel at xxxxx
Tue Jan 9 16:53:27 UTC 2007 

Revision: 1171
          http://svn.sourceforge.net/geany/?rev=1171&view=rev
Author:   ntrel
Date:     2007-01-09 08:53:27 -0800 (Tue, 09 Jan 2007)

Log Message:
-----------
Prevent some possible buffer overflows.

Modified Paths:
--------------
    trunk/ChangeLog
    trunk/src/sci_cb.c
    trunk/src/sciwrappers.c
    trunk/src/utils.c

Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/ChangeLog	2007-01-09 16:53:27 UTC (rev 1171)
@@ -1,3 +1,9 @@
+2007-01-09  Nick Treleaven  <nick.treleaven at btinternet.com>
+
+ * src/utils.c, src/sci_cb.c, src/sciwrappers.c:
+   Prevent some possible buffer overflows.
+
+
 2007-01-08  Enrico Tröger  <enrico.troeger at uvena.de>
 
  * doc/geany.docbook, src/keybindings.c, src/keybindings.h:

Modified: trunk/src/sci_cb.c
===================================================================
--- trunk/src/sci_cb.c	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/src/sci_cb.c	2007-01-09 16:53:27 UTC (rev 1171)
@@ -259,7 +259,7 @@
 			{
 				gint start, pos = SSM(sci, SCI_GETCURRENTPOS, 0, 0);
 				start = pos;
-				while (sci_get_char_at(sci, --start) != '&') ;
+				while (start > 0 && sci_get_char_at(sci, --start) != '&') ;
 
 				SSM(sci, SCI_INSERTTEXT, pos - 1, (sptr_t) nt->text);
 			}
@@ -897,7 +897,7 @@
 	sci_get_text_range(sci, pos - 16, pos - 1, buf);
 	// check the first 8 characters of buf for whitespace, but only in this line
 	i = 14;
-	while (isalpha(buf[i])) i--;	// find pos before keyword
+	while (i >= 0 && isalpha(buf[i])) i--;	// find pos before keyword
 	while (i >= 0 && buf[i] != '\n' && buf[i] != '\r') // we want to stay in this line('\n' check)
 	{
 		if (! isspace(buf[i]))
@@ -1177,7 +1177,7 @@
 		x = strlen(indent);
 		// find the start of the <table tag
 		i = 1;
-		while (sci_get_char_at(sci, pos - i) != '<') i++;
+		while (i <= pos && sci_get_char_at(sci, pos - i) != '<') i++;
 		// add all non whitespace before the tag to the indent string
 		while ((pos - i) != indent_pos)
 		{
@@ -1301,12 +1301,17 @@
 
 	for (i = first_line; (i <= last_line) && (! break_loop); i++)
 	{
+		gint buf_len;
+
 		line_start = sci_get_position_from_line(doc_list[idx].sci, i);
 		line_len = sci_get_line_length(doc_list[idx].sci, i);
 		x = 0;
 
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 255), (line_start + line_len - 1)), sel);
-		sel[MIN(255, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
 
 		while (isspace(sel[x])) x++;
 
@@ -1430,12 +1435,17 @@
 
 	for (i = first_line; (i <= last_line) && (! break_loop); i++)
 	{
+		gint buf_len;
+
 		line_start = sci_get_position_from_line(doc_list[idx].sci, i);
 		line_len = sci_get_line_length(doc_list[idx].sci, i);
 		x = 0;
 
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 255), (line_start + line_len - 1)), sel);
-		sel[MIN(255, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
 
 		while (isspace(sel[x])) x++;
 
@@ -1616,17 +1626,18 @@
 
 	for (i = first_line; (i <= last_line) && (! break_loop); i++)
 	{
+		gint buf_len;
+
 		line_start = sci_get_position_from_line(doc_list[idx].sci, i);
 		line_len = sci_get_line_length(doc_list[idx].sci, i);
 		x = 0;
 
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 256), (line_start + line_len - 1)), sel);
-		sel[MIN(256, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
 
-		/// TODO fix the above code to remove the described segfault below
-		// The following loop causes a segfault when the cursor is on the last line of doc and
-		// there are no other characters on this line and Geany was compiled with -O2, with -O0
-		// all works fine.
 		while (isspace(sel[x])) x++;
 
 		// to skip blank lines

Modified: trunk/src/sciwrappers.c
===================================================================
--- trunk/src/sciwrappers.c	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/src/sciwrappers.c	2007-01-09 16:53:27 UTC (rev 1171)
@@ -756,6 +756,7 @@
 }
 
 
+/* text will be zero terminated and must be allocated (end - start + 1) bytes */
 void sci_get_text_range(ScintillaObject *sci, gint start, gint end, gchar *text)
 {
 	struct TextRange tr;

Modified: trunk/src/utils.c
===================================================================
--- trunk/src/utils.c	2007-01-08 18:24:45 UTC (rev 1170)
+++ trunk/src/utils.c	2007-01-09 16:53:27 UTC (rev 1171)
@@ -470,7 +470,7 @@
 	if (end < 0) end = 0;
 
 	// skip whitespaces between identifier and (
-	while (isspace(sci_get_char_at(sci, end))) end--;
+	while (end > 0 && isspace(sci_get_char_at(sci, end))) end--;
 
 	start = end;
 	c = 0;


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

More information about the Commits mailing list