[ nedit-Bugs-2074318 ] buffer overflow with >9 arguments to action routine

[Bert Wesarg]

proposals A and B
-------------- next part --------------
---

 source/interpret.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --quilt old/source/interpret.c new/source/interpret.c
--- old/source/interpret.c
+++ new/source/interpret.c
@@ -1980,10 +1980,15 @@ static int callSubroutine(void)
     	String argList[MAX_ARGS];
     	Cardinal numArgs = nArgs;
     	XKeyEvent key_event;
 	Display *disp;
 	Window win;
+
+        if (nArgs > MAX_ARGS) {
+            return execError("too many arguments for action routine %s",
+                    sym->name);
+        }
     
 	/* Create a fake event with a timestamp suitable for actions which need
 	   timestamps, a marker to indicate that the call was from a macro
 	   (to stop shell commands from putting up their own separate banner) */
         disp=XtDisplay(InitiatingWindow->shell);
-------------- next part --------------
---

 source/interpret.c |    4 +++-
 source/interpret.h |    1 -
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --quilt old/source/interpret.c new/source/interpret.c
--- old/source/interpret.c
+++ new/source/interpret.c
@@ -1975,11 +1975,11 @@ static int callSubroutine(void)
     
     /*
     ** Call an action routine
     */
     if (sym->type == ACTION_ROUTINE_SYM) {
-    	String argList[MAX_ARGS];
+        String *argList;
     	Cardinal numArgs = nArgs;
     	XKeyEvent key_event;
 	Display *disp;
 	Window win;
     
@@ -1997,19 +1997,21 @@ static int callSubroutine(void)
 	   in strange cases, like calling "self_insert()" directly from the
 	   macro menu. In fact the display was sufficient to cure this crash. */
         key_event.display=disp;
         key_event.window=key_event.root=key_event.subwindow=win;
     
+        argList = XtCalloc(nArgs, sizeof(*argList));
 	/* pop arguments off the stack and put them in the argument list */
 	for (i=nArgs-1; i>=0; i--) {
     	    POP_STRING(argList[i])
 	}
 
     	/* Call the action routine and check for preemption */
     	PreemptRequest = False;
     	sym->value.val.xtproc(FocusWindow->lastFocus,
     	    	(XEvent *)&key_event, argList, &numArgs);
+        XtFree((char *)argList);
     	if (PC->func == fetchRetVal) {
     	    return execError("%s does not return a value", sym->name);
         }
     	return PreemptRequest ? STAT_PREEMPT : STAT_OK;
     }
diff --quilt old/source/interpret.h new/source/interpret.h
--- old/source/interpret.h
+++ new/source/interpret.h
@@ -29,11 +29,10 @@
 #define NEDIT_INTERPRET_H_INCLUDED
 
 #include "nedit.h"
 #include "rbTree.h"
 
-#define MAX_ARGS 9  	    	/* Maximum number of subroutine arguments */
 #define STACK_SIZE 1024		/* Maximum stack size */
 #define MAX_SYM_LEN 100 	/* Max. symbol name length */
 #define MACRO_EVENT_MARKER 2 	/* Special value for the send_event field of
     	    	    	    	   events passed to action routines.  Tells
     	    	    	    	   them that they were called from a macro */