From c605f1c0ab946e8f46ab7d4b145525b0ced158e3 Mon Sep 17 00:00:00 2001
From: Bert Wesarg <bert.wesarg@googlemail.com>
Date: Fri, 3 Oct 2008 14:34:55 +0000
Subject: [PATCH] remove argument limit from action routines

In the old days function calls could only have 9 arguments. This limitation
comes from the macro language. This limitation was removed but the code for
calling a action routine was not adopted to this change. So a buffer overflow
was created. This commit removes this buffer overflow by creating the buffer
dynamically from the number of arguments.

Closes SF BUG#2074318
---
 source/interpret.c | 6 ++++--
 source/interpret.h | 3 +--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/source/interpret.c b/source/interpret.c
index dde7e88..e2eee38 100644
--- a/source/interpret.c
+++ b/source/interpret.c
@@ -1,4 +1,4 @@
-static const char CVSID[] = "$Id: interpret.c,v 1.53 2008/03/09 19:29:38 lebert Exp $";
+static const char CVSID[] = "$Id: interpret.c,v 1.54 2008/10/03 14:34:55 lebert Exp $";
 /*******************************************************************************
 *									       *
 * interpret.c -- Nirvana Editor macro interpreter			       *
@@ -1977,7 +1977,7 @@ static int callSubroutine(void)
     ** Call an action routine
     */
     if (sym->type == ACTION_ROUTINE_SYM) {
-    	String argList[MAX_ARGS];
+        String *argList;
     	Cardinal numArgs = nArgs;
     	XKeyEvent key_event;
 	Display *disp;
@@ -1999,6 +1999,7 @@ static int callSubroutine(void)
         key_event.display=disp;
         key_event.window=key_event.root=key_event.subwindow=win;
     
+        argList = (String *)XtCalloc(nArgs, sizeof(*argList));
 	/* pop arguments off the stack and put them in the argument list */
 	for (i=nArgs-1; i>=0; i--) {
     	    POP_STRING(argList[i])
@@ -2008,6 +2009,7 @@ static int callSubroutine(void)
     	PreemptRequest = False;
     	sym->value.val.xtproc(FocusWindow->lastFocus,
     	    	(XEvent *)&key_event, argList, &numArgs);
+        XtFree((char *)argList);
     	if (PC->func == fetchRetVal) {
     	    return execError("%s does not return a value", sym->name);
         }
diff --git a/source/interpret.h b/source/interpret.h
index 8ac97ee..177049a 100644
--- a/source/interpret.h
+++ b/source/interpret.h
@@ -1,4 +1,4 @@
-/* $Id: interpret.h,v 1.21 2008/03/09 19:29:38 lebert Exp $ */
+/* $Id: interpret.h,v 1.22 2008/10/03 14:34:55 lebert Exp $ */
 /*******************************************************************************
 *                                                                              *
 * interpret.h -- Nirvana Editor Interpreter Header File                        *
@@ -31,7 +31,6 @@
 #include "nedit.h"
 #include "rbTree.h"
 
-#define MAX_ARGS 9  	    	/* Maximum number of subroutine arguments */
 #define STACK_SIZE 1024		/* Maximum stack size */
 #define MAX_SYM_LEN 100 	/* Max. symbol name length */
 #define MACRO_EVENT_MARKER 2 	/* Special value for the send_event field of
-- 
2.11.4.GIT