diff options
| author | Sergey Sharybin <sergey.vfx@gmail.com> | 2011-05-12 20:49:53 +0400 |
|---|---|---|
| committer | Sergey Sharybin <sergey.vfx@gmail.com> | 2011-05-12 20:49:53 +0400 |
| commit | 1d6278f80a62191a4b2259f4da5d82945a396c6f (patch) | |
| tree | f0794bd198ee11a696ea21c13ef0787c97a4c98f | |
| parent | 5f5cdf9d00ddae944d3c50c2d0d7ecbed186d319 (diff) | |
Fix #27359: Pasting long text crashes blender
Actual problem was caused by insufficient buffer size
in ui_text_leftclip()
Also fixed possible invalid memory write in GHOST_SystemWin32::getClipboard
which was caused by accessing clipboard buffer after closing
clipboard. This mustn't happen.
Also fixed possible crush when buffer was failed to be locked.
| -rw-r--r-- | intern/ghost/intern/GHOST_SystemWin32.cpp | 19 | ||||
| -rw-r--r-- | source/blender/editors/interface/interface_widgets.c | 2 |
2 files changed, 12 insertions, 9 deletions
diff --git a/intern/ghost/intern/GHOST_SystemWin32.cpp b/intern/ghost/intern/GHOST_SystemWin32.cpp index ee8ec9e8018..92066d5f794 100644 --- a/intern/ghost/intern/GHOST_SystemWin32.cpp +++ b/intern/ghost/intern/GHOST_SystemWin32.cpp @@ -1178,25 +1178,28 @@ GHOST_TUns8* GHOST_SystemWin32::getClipboard(bool selection) const char *temp_buff; if ( IsClipboardFormatAvailable(CF_TEXT) && OpenClipboard(NULL) ) { + size_t len = 0; HANDLE hData = GetClipboardData( CF_TEXT ); if (hData == NULL) { CloseClipboard(); return NULL; } buffer = (char*)GlobalLock( hData ); + if (!buffer) { + return NULL; + } - temp_buff = (char*) malloc(strlen(buffer)+1); - strcpy(temp_buff, buffer); + len = strlen(buffer); + temp_buff = (char*) malloc(len+1); + strncpy(temp_buff, buffer, len); + temp_buff[len] = '\0'; + /* Buffer mustn't be accessed after CloseClipboard + it would like accessing free-d memory */ GlobalUnlock( hData ); CloseClipboard(); - temp_buff[strlen(buffer)] = '\0'; - if (buffer) { - return (GHOST_TUns8*)temp_buff; - } else { - return NULL; - } + return (GHOST_TUns8*)temp_buff; } else { return NULL; } diff --git a/source/blender/editors/interface/interface_widgets.c b/source/blender/editors/interface/interface_widgets.c index ecadb52ad5d..58ed1e31b81 100644 --- a/source/blender/editors/interface/interface_widgets.c +++ b/source/blender/editors/interface/interface_widgets.c @@ -888,7 +888,7 @@ static void ui_text_leftclip(uiFontStyle *fstyle, uiBut *but, rcti *rect) /* textbut exception, clip right when... */ if(but->editstr && but->pos >= 0) { float width; - char buf[256]; + char buf[UI_MAX_DRAW_STR]; /* copy draw string */ BLI_strncpy(buf, but->drawstr, sizeof(buf)); |