Fix #27359: Pasting long text crashes blender
authorSergey Sharybin <sergey.vfx@gmail.com>
Thu, 12 May 2011 16:49:53 +0000 (16:49 +0000)
committerSergey Sharybin <sergey.vfx@gmail.com>
Thu, 12 May 2011 16:49:53 +0000 (16:49 +0000)
Actual problem was caused by insufficient buffer size
in ui_text_leftclip()

Also fixed possible invalid memory write in GHOST_SystemWin32::getClipboard
which was caused by accessing clipboard buffer after closing
clipboard. This mustn't happen.
Also fixed possible crush when buffer was failed to be locked.

intern/ghost/intern/GHOST_SystemWin32.cpp
source/blender/editors/interface/interface_widgets.c

index ee8ec9e801831c5d30411a92f6d457e99db78560..92066d5f79466ca48f74892ba4a04a8eef4ff879 100644 (file)
@@ -1178,25 +1178,28 @@ GHOST_TUns8* GHOST_SystemWin32::getClipboard(bool selection) const
        char *temp_buff;
        
        if ( IsClipboardFormatAvailable(CF_TEXT) && OpenClipboard(NULL) ) {
        char *temp_buff;
        
        if ( IsClipboardFormatAvailable(CF_TEXT) && OpenClipboard(NULL) ) {
+               size_t len = 0;
                HANDLE hData = GetClipboardData( CF_TEXT );
                if (hData == NULL) {
                        CloseClipboard();
                        return NULL;
                }
                buffer = (char*)GlobalLock( hData );
                HANDLE hData = GetClipboardData( CF_TEXT );
                if (hData == NULL) {
                        CloseClipboard();
                        return NULL;
                }
                buffer = (char*)GlobalLock( hData );
+               if (!buffer) {
+                       return NULL;
+               }
                
                
-               temp_buff = (char*) malloc(strlen(buffer)+1);
-               strcpy(temp_buff, buffer);
+               len = strlen(buffer);
+               temp_buff = (char*) malloc(len+1);
+               strncpy(temp_buff, buffer, len);
+               temp_buff[len] = '\0';
                
                
+               /* Buffer mustn't be accessed after CloseClipboard
+                  it would like accessing free-d memory */
                GlobalUnlock( hData );
                CloseClipboard();
                
                GlobalUnlock( hData );
                CloseClipboard();
                
-               temp_buff[strlen(buffer)] = '\0';
-               if (buffer) {
-                       return (GHOST_TUns8*)temp_buff;
-               } else {
-                       return NULL;
-               }
+               return (GHOST_TUns8*)temp_buff;
        } else {
                return NULL;
        }
        } else {
                return NULL;
        }
index ecadb52ad5d0a16a84d3d9dfbd2c523c291780aa..58ed1e31b8179335cc338768feb5b12bf798c6df 100644 (file)
@@ -888,7 +888,7 @@ static void ui_text_leftclip(uiFontStyle *fstyle, uiBut *but, rcti *rect)
                /* textbut exception, clip right when... */
                if(but->editstr && but->pos >= 0) {
                        float width;
                /* textbut exception, clip right when... */
                if(but->editstr && but->pos >= 0) {
                        float width;
-                       char buf[256];
+                       char buf[UI_MAX_DRAW_STR];
                        
                        /* copy draw string */
                        BLI_strncpy(buf, but->drawstr, sizeof(buf));
                        
                        /* copy draw string */
                        BLI_strncpy(buf, but->drawstr, sizeof(buf));