From 17734f0b7b2d5240c0adb14f7ce03763603fd99c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 28 Dec 2011 20:36:26 -0800
Subject: Bounds check value passed to WriteText

Read outside array bounds (CWE 125): In array dereference of names[type] with index 'type'
    Array size is 4 elements (of 8 bytes each), index >= 0 and index <= 2147483647
      at line 155 of text.c in function 'WriteText'.

[ This bug was found by the Parfait 0.4.2 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 text.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'text.c')

diff --git a/text.c b/text.c
index 6701fdb..b27d09a 100644
--- a/text.c
+++ b/text.c
@@ -147,6 +147,10 @@ WriteText(Widget w, XEvent *event, String *params, Cardinal *num_params)
   int type;			/* which string # to send */
 
   type = atoi(params[0]);
+  if (type < 0 || type >= NUMTEXTWIDGETS) {
+      fprintf(stderr, "Invalid value %s in WriteText()\n", params[0]);
+      return;
+  }
   if (strcmp(textstrings[type],oldtextstrings[type])) {
     strcpy(oldtextstrings[type],textstrings[type]);
     snprintf(mbuf,sizeof mbuf,"%s%s\n", 
-- 
cgit v1.2.3