remove-argument-limit-from-action-routines.patch

   1 Subject: Remove argument limit from action routines
   2
   3 This removes a buffer overflow, if more than 9 arguments are passed to an
   4 action routine.
   5
   6 SF: BUG#2074318
   7
   8 Postedh here, as proposal B:
   9
  10   http://www.nedit.org/pipermail/develop/2008-August/014628.html
  11
  12 ---
  13
  14  source/interpret.c |    4 +++-
  15  source/interpret.h |    1 -
  16  2 files changed, 3 insertions(+), 2 deletions(-)
  17
  18 diff --quilt old/source/interpret.c new/source/interpret.c
  19 --- old/source/interpret.c
  20 +++ new/source/interpret.c
  21 @@ -1975,11 +1975,11 @@ static int callSubroutine(void)
  22
  23      /*
  24      ** Call an action routine
  25      */
  26      if (sym->type == ACTION_ROUTINE_SYM) {
  27 -       String argList[MAX_ARGS];
  28 +        String *argList;
  29         Cardinal numArgs = nArgs;
  30         XKeyEvent key_event;
  31         Display *disp;
  32         Window win;
  33
  34 @@ -1997,19 +1997,21 @@ static int callSubroutine(void)
  35            in strange cases, like calling "self_insert()" directly from the
  36            macro menu. In fact the display was sufficient to cure this crash. */
  37          key_event.display=disp;
  38          key_event.window=key_event.root=key_event.subwindow=win;
  39
  40 +        argList = (String *)XtCalloc(nArgs, sizeof(*argList));
  41         /* pop arguments off the stack and put them in the argument list */
  42         for (i=nArgs-1; i>=0; i--) {
  43             POP_STRING(argList[i])
  44         }
  45
  46         /* Call the action routine and check for preemption */
  47         PreemptRequest = False;
  48         sym->value.val.xtproc(FocusWindow->lastFocus,
  49                 (XEvent *)&key_event, argList, &numArgs);
  50 +        XtFree((char *)argList);
  51         if (PC->func == fetchRetVal) {
  52             return execError("%s does not return a value", sym->name);
  53          }
  54         return PreemptRequest ? STAT_PREEMPT : STAT_OK;
  55      }
  56 diff --quilt old/source/interpret.h new/source/interpret.h
  57 --- old/source/interpret.h
  58 +++ new/source/interpret.h
  59 @@ -29,11 +29,10 @@
  60  #define NEDIT_INTERPRET_H_INCLUDED
  61
  62  #include "nedit.h"
  63  #include "rbTree.h"
  64
  65 -#define MAX_ARGS 9             /* Maximum number of subroutine arguments */
  66  #define STACK_SIZE 1024                /* Maximum stack size */
  67  #define MAX_SYM_LEN 100        /* Max. symbol name length */
  68  #define MACRO_EVENT_MARKER 2   /* Special value for the send_event field of
  69                                    events passed to action routines.  Tells
  70                                    them that they were called from a macro */