From 9fd31ed94ebdcd8775e702d77edca2d36d13f7f2 Mon Sep 17 00:00:00 2001 From: Albrecht Schlosser Date: Thu, 1 Sep 2016 10:35:21 +0000 Subject: Fix buffer overflow in CR/LF conversion. An already present CR/LF combination causes us to jump two characters, but we failed to update the length counter when doing this. This also makes sure we handle the corner case of a CR as the last character. Note: porting Pierre Ossman's commit (svn r11873) to branch-1.3-porting. git-svn-id: file:///fltk/svn/fltk/branches/branch-1.3-porting@11913 ea41ed52-d2ee-0310-a9c1-e6b18d33e121 --- src/Fl_win32.cxx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/Fl_win32.cxx b/src/Fl_win32.cxx index ba68ec0ac..13ae5c459 100644 --- a/src/Fl_win32.cxx +++ b/src/Fl_win32.cxx @@ -581,9 +581,9 @@ public: char *o; int lencount; // Predict size of \r\n conversion buffer - for ( i=in, lencount = inlen; lencount--; ) { - if ( *i == '\r' && *(i+1) == '\n' ) // leave \r\n untranslated - { i+=2; outlen+=2; } + for (i = in, lencount = inlen; lencount > 0; lencount--) { + if ( *i == '\r' && *(i+1) == '\n' && lencount >= 2 ) // leave \r\n untranslated + { i+=2; outlen+=2; lencount--; } else if ( *i == '\n' ) // \n by itself? leave room to insert \r { i++; outlen+=2; } else @@ -592,9 +592,9 @@ public: // Alloc conversion buffer + NULL out = new char[outlen+1]; // Handle \n -> \r\n conversion - for ( i=in, o=out, lencount = inlen; lencount--; ) { - if ( *i == '\r' && *(i+1) == '\n' ) // leave \r\n untranslated - { *o++ = *i++; *o++ = *i++; } + for (i = in, o=out, lencount = inlen; lencount > 0; lencount--) { + if ( *i == '\r' && *(i+1) == '\n' && lencount >= 2 ) // leave \r\n untranslated + { *o++ = *i++; *o++ = *i++; lencount--; } else if ( *i == '\n' ) // \n by itself? insert \r { *o++ = '\r'; *o++ = *i++; } else -- cgit v1.2.3