summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2011-12-28 20:36:26 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2011-12-28 20:41:19 -0800
commit17734f0b7b2d5240c0adb14f7ce03763603fd99c (patch)
treeab55b6c512afc3905a21dfc830eb1532b97d9735
parent84e7552c98096930cef9ed2d1d91f3d8abceeb4e (diff)
Bounds check value passed to WriteText
Read outside array bounds (CWE 125): In array dereference of names[type] with index 'type' Array size is 4 elements (of 8 bytes each), index >= 0 and index <= 2147483647 at line 155 of text.c in function 'WriteText'. [ This bug was found by the Parfait 0.4.2 bug checking tool. For more information see http://labs.oracle.com/projects/parfait/ ] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--text.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/text.c b/text.c
index 6701fdb..b27d09a 100644
--- a/text.c
+++ b/text.c
@@ -147,6 +147,10 @@ WriteText(Widget w, XEvent *event, String *params, Cardinal *num_params)
int type; /* which string # to send */
type = atoi(params[0]);
+ if (type < 0 || type >= NUMTEXTWIDGETS) {
+ fprintf(stderr, "Invalid value %s in WriteText()\n", params[0]);
+ return;
+ }
if (strcmp(textstrings[type],oldtextstrings[type])) {
strcpy(oldtextstrings[type],textstrings[type]);
snprintf(mbuf,sizeof mbuf,"%s%s\n",