>From 7765e16cd1587f3d496180e69090b7d530a2a83a Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <[email protected]>
Date: Sat, 5 May 2012 11:06:15 +0200
Subject: [PATCH] Avoid buffer overrun in parseMenuCommand.
In parseMenuCommand, title[300] might get filled with a string of length
300. The string is copied with strcpy, therefore the size would have to be
301 or -- as I propose -- the fixed value 300 gets replaced with
"sizeof(title) - 1". This shows also that the size 300 belongs to title
and it will already be replaced during compile-time into 299.
---
src/appmenu.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/appmenu.c b/src/appmenu.c
index 6aac338..0d6c7f4 100644
--- a/src/appmenu.c
+++ b/src/appmenu.c
@@ -92,7 +92,7 @@ static WMenu *parseMenuCommand(WScreen * scr, Window win,
char **slist, int coun
char title[300];
char rtext[300];
- if (strlen(slist[*index]) > 300) {
+ if (strlen(slist[*index]) > sizeof(title) - 1) {
wwarning("appmenu: menu command size exceeded in window %lx",
win);
return NULL;
}
--
1.7.6
--
To unsubscribe, send mail to [email protected].
