diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-12-28 20:36:26 -0800 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-12-28 20:41:19 -0800 |
| commit | 17734f0b7b2d5240c0adb14f7ce03763603fd99c (patch) | |
| tree | ab55b6c512afc3905a21dfc830eb1532b97d9735 | |
| parent | 84e7552c98096930cef9ed2d1d91f3d8abceeb4e (diff) | |
Bounds check value passed to WriteText
Read outside array bounds (CWE 125): In array dereference of names[type] with index 'type'
Array size is 4 elements (of 8 bytes each), index >= 0 and index <= 2147483647
at line 155 of text.c in function 'WriteText'.
[ This bug was found by the Parfait 0.4.2 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | text.c | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -147,6 +147,10 @@ WriteText(Widget w, XEvent *event, String *params, Cardinal *num_params) int type; /* which string # to send */ type = atoi(params[0]); + if (type < 0 || type >= NUMTEXTWIDGETS) { + fprintf(stderr, "Invalid value %s in WriteText()\n", params[0]); + return; + } if (strcmp(textstrings[type],oldtextstrings[type])) { strcpy(oldtextstrings[type],textstrings[type]); snprintf(mbuf,sizeof mbuf,"%s%s\n", |