xtext: Fix overflow on long lines

xtext keeps a static buffer and uses it for various things and asserts that every text entry is < 4096. It does this check on gtk_xtext_append*() except it does the check only on the right half of text when indent is enabled. This overflow caused corruption in the xtext struct changing the url check functions making hovering with the mouse do 'undefined' things. In the long term this should be removed for a dynamically allocated buffer so no arbitrary size limit exists and text gets cut off. Fixes #1465 Fixes #1186 Fixes #1206
2024-11-10 05:02:50 +01:00 · 2015-10-30 00:57:25 -04:00 · 2015-10-30 00:57:25 -04:00 · c8539b93fe
commit c8539b93fe
parent 1e914347d7
1 changed files with 5 additions and 2 deletions
--- a/src/fe-gtk/xtext.c
+++ b/src/fe-gtk/xtext.c
@ -4649,8 +4649,8 @@ gtk_xtext_append_indent (xtext_buffer *buf,
 	if (right_len == -1)
 		right_len = strlen (right_text);

-	if (right_len >= sizeof (buf->xtext->scratch_buffer))
-		right_len = sizeof (buf->xtext->scratch_buffer) - 1;
+	if (left_len + right_len + 2 >= sizeof (buf->xtext->scratch_buffer))
+		right_len = sizeof (buf->xtext->scratch_buffer) - left_len - 2;

 	if (right_text[right_len-1] == '\n')
 		right_len--;
@ -4670,6 +4670,9 @@ gtk_xtext_append_indent (xtext_buffer *buf,
 	ent->str_len = left_len + 1 + right_len;
 	ent->indent = (buf->indent - left_width) - buf->xtext->space_width;

+	/* This is copied into the scratch buffer later, double check math */
+	g_assert (ent->str_len < sizeof (buf->xtext->scratch_buffer));
+
 	if (buf->time_stamp)
 		space = buf->xtext->stamp_width;
 	else