STR 1186: Fixed Help Browser buffer overflow by adding a self-enlarging buffer for reading text blocks. Without this, blocks of more than 1024 chars without attributes would corrupt memory.
TEST USERS: Please check this fix. It is not trivial. git-svn-id: file:///fltk/svn/fltk/branches/branch-1.1@4871 ea41ed52-d2ee-0310-a9c1-e6b18d33e121
This commit is contained in:
Matthias Melcher
parent
094f1b0f7e
commit
450b73e63b
@ -136,6 +136,66 @@ static const char *broken_xpm[] =
|
||||
|
||||
static Fl_Pixmap broken_image(broken_xpm);
|
||||
|
||||
class FlexBuffer {
|
||||
friend class FlexPointer;
|
||||
public:
|
||||
FlexBuffer(int s) {
|
||||
mem = (char*)malloc(s);
|
||||
size_ = s;
|
||||
}
|
||||
~FlexBuffer() {
|
||||
free(mem);
|
||||
mem = 0;
|
||||
}
|
||||
operator char*() {
|
||||
return mem;
|
||||
}
|
||||
int size() {
|
||||
return size_;
|
||||
}
|
||||
private:
|
||||
void enlarge(int need) {
|
||||
int step = (need+512)&~511;
|
||||
mem = (char*)realloc(mem, step);
|
||||
size_ = step;
|
||||
}
|
||||
char *mem;
|
||||
int size_;
|
||||
};
|
||||
|
||||
class FlexPointer {
|
||||
public:
|
||||
FlexPointer() {
|
||||
buf = 0; ix = 0;
|
||||
}
|
||||
void operator=(FlexBuffer &flexbuffer) {
|
||||
buf = &flexbuffer;
|
||||
ix = 0;
|
||||
}
|
||||
operator char*() {
|
||||
return buf->mem + ix;
|
||||
}
|
||||
int operator>(FlexBuffer &fb) {
|
||||
return (buf->mem + ix > fb.mem);
|
||||
}
|
||||
int operator<(char *b) {
|
||||
return (buf->mem + ix < b);
|
||||
}
|
||||
FlexPointer const operator++(int) {
|
||||
FlexPointer tmp(*this);
|
||||
++ix;
|
||||
return tmp;
|
||||
}
|
||||
char& operator*() const {
|
||||
if (ix >= buf->size_)
|
||||
buf->enlarge(ix);
|
||||
return buf->mem[ix];
|
||||
}
|
||||
private:
|
||||
FlexBuffer *buf;
|
||||
int ix;
|
||||
};
|
||||
|
||||
|
||||
//
|
||||
// 'Fl_Help_View::add_block()' - Add a text block to the list.
|
||||
@ -323,9 +383,11 @@ Fl_Help_View::draw()
|
||||
const Fl_Help_Block *block; // Pointer to current block
|
||||
const char *ptr, // Pointer to text in block
|
||||
*attrs; // Pointer to start of element attributes
|
||||
char *s, // Pointer into buffer
|
||||
buf[1024], // Text buffer
|
||||
attr[1024]; // Attribute buffer
|
||||
//char *s, // Pointer into buffer
|
||||
// buf[1024], // Text buffer
|
||||
FlexPointer s;
|
||||
FlexBuffer buf(1024);
|
||||
char attr[1024]; // Attribute buffer
|
||||
int xx, yy, ww, hh; // Current positions and sizes
|
||||
int line; // Current line
|
||||
unsigned char font, fsize; // Current font and size
|
||||
@ -495,10 +557,7 @@ Fl_Help_View::draw()
|
||||
}
|
||||
|
||||
while (*ptr && *ptr != '>' && !isspace(*ptr))
|
||||
if (s < (buf + sizeof(buf) - 1))
|
||||
*s++ = *ptr++;
|
||||
else
|
||||
ptr ++;
|
||||
*s++ = *ptr++;
|
||||
|
||||
*s = '\0';
|
||||
s = buf;
|
||||
@ -918,9 +977,9 @@ Fl_Help_View::format()
|
||||
const char *ptr, // Pointer into block
|
||||
*start, // Pointer to start of element
|
||||
*attrs; // Pointer to start of element attributes
|
||||
char *s, // Pointer into buffer
|
||||
buf[1024], // Text buffer
|
||||
attr[1024], // Attribute buffer
|
||||
FlexPointer s; // Pointer into buffer
|
||||
FlexBuffer buf(1024); // Text buffer
|
||||
char attr[1024], // Attribute buffer
|
||||
wattr[1024], // Width attribute buffer
|
||||
hattr[1024], // Height attribute buffer
|
||||
linkdest[1024]; // Link destination
|
||||
@ -1098,10 +1157,7 @@ Fl_Help_View::format()
|
||||
}
|
||||
|
||||
while (*ptr && *ptr != '>' && !isspace(*ptr))
|
||||
if (s < (buf + sizeof(buf) - 1))
|
||||
*s++ = *ptr++;
|
||||
else
|
||||
ptr ++;
|
||||
*s++ = *ptr++;
|
||||
|
||||
*s = '\0';
|
||||
s = buf;
|
||||
@ -1122,11 +1178,12 @@ Fl_Help_View::format()
|
||||
else if (strcasecmp(buf, "TITLE") == 0)
|
||||
{
|
||||
// Copy the title in the document...
|
||||
for (s = title_;
|
||||
*ptr != '<' && *ptr && s < (title_ + sizeof(title_) - 1);
|
||||
*s++ = *ptr++);
|
||||
char *s1;
|
||||
for (s1 = title_;
|
||||
*ptr != '<' && *ptr && s1 < (title_ + sizeof(title_) - 1);
|
||||
*s1++ = *ptr++);
|
||||
|
||||
*s = '\0';
|
||||
*s1 = '\0';
|
||||
s = buf;
|
||||
}
|
||||
else if (strcasecmp(buf, "A") == 0)
|
||||
@ -1587,7 +1644,7 @@ Fl_Help_View::format()
|
||||
|
||||
ptr ++;
|
||||
}
|
||||
else if (*ptr == '&' && s < (buf + sizeof(buf) - 1))
|
||||
else if (*ptr == '&')
|
||||
{
|
||||
ptr ++;
|
||||
|
||||
@ -1605,11 +1662,7 @@ Fl_Help_View::format()
|
||||
}
|
||||
else
|
||||
{
|
||||
if (s < (buf + sizeof(buf) - 1))
|
||||
*s++ = *ptr++;
|
||||
else
|
||||
ptr ++;
|
||||
|
||||
*s++ = *ptr++;
|
||||
if ((fsize + 2) > hh)
|
||||
hh = fsize + 2;
|
||||
}
|
||||
@ -1774,10 +1827,7 @@ Fl_Help_View::format_table(int *table_width, // O - Total table width
|
||||
start = ptr;
|
||||
|
||||
for (s = buf, ptr ++; *ptr && *ptr != '>' && !isspace(*ptr);)
|
||||
if (s < (buf + sizeof(buf) - 1))
|
||||
*s++ = *ptr++;
|
||||
else
|
||||
ptr ++;
|
||||
*s++ = *ptr++;
|
||||
|
||||
*s = '\0';
|
||||
s = buf;
|
||||
@ -2018,7 +2068,7 @@ Fl_Help_View::format_table(int *table_width, // O - Total table width
|
||||
|
||||
ptr ++;
|
||||
}
|
||||
else if (*ptr == '&' && s < (buf + sizeof(buf) - 1))
|
||||
else if (*ptr == '&')
|
||||
{
|
||||
ptr ++;
|
||||
|
||||
@ -2033,10 +2083,7 @@ Fl_Help_View::format_table(int *table_width, // O - Total table width
|
||||
}
|
||||
else
|
||||
{
|
||||
if (s < (buf + sizeof(buf) - 1))
|
||||
*s++ = *ptr++;
|
||||
else
|
||||
ptr ++;
|
||||
*s++ = *ptr++;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user