GNU bug report logs - #6855
24.0.50; Bug in tool bar label handling

Previous Next

Package: emacs;

Reported by: Johan Bockgård <bojohan <at> gnu.org>

Date: Sat, 14 Aug 2010 12:47:02 UTC

Severity: normal

Found in version 24.0.50

Done: Jan Djärv <jan.h.d <at> swipnet.se>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Johan Bockgård <bojohan <at> gnu.org>
To: 6855 <at> debbugs.gnu.org
Cc: jan.h.d <at> swipnet.se
Subject: bug#6855: 24.0.50; Bug in tool bar label handling
Date: Sat, 14 Aug 2010 14:04:25 +0200

There are some bugs in the handling of tool bar labels that can cause
Emacs to crash.



### gtkutil.c: update_frame_tool_bar ###

    char *label = SSDATA (PROP (TOOL_BAR_ITEM_LABEL));

Here we take string data out.



### keyboard.c: parse_tool_bar_item ###

      else if (EQ (key, QClabel))
        {
          /* `:label LABEL-STRING'.  */
          PROP (TOOL_BAR_ITEM_LABEL) = value;
          have_label = 1;
        }

But here we put an arbitrary object in.


...

  if (!have_label)

...
      char buf[64];
      EMACS_INT max_lbl = 2*tool_bar_max_label_size;
      Lisp_Object new_lbl;

      if (strlen (caption) < max_lbl && caption[0] != '\0')
        {
          strcpy (buf, caption);

tool-bar-max-label-size is a user variable, so this can mean a buffer
overflow.


...
      if (SCHARS (new_lbl) <= tool_bar_max_label_size)
        PROP (TOOL_BAR_ITEM_LABEL) = new_lbl;

If we came here but the branch is not taken, the label will be nil,
not a string.

This bug report was last modified 14 years and 288 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #6855 24.0.50; Bug in tool bar label handling

GNU bug report logs - #6855
24.0.50; Bug in tool bar label handling