[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [36645] trunk/blender: Fix #27359: Pasting long text crashes blender
Sergey Sharybin
g.ulairi at gmail.com
Thu May 12 18:49:53 CEST 2011
Revision: 36645
http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=36645
Author: nazgul
Date: 2011-05-12 16:49:53 +0000 (Thu, 12 May 2011)
Log Message:
-----------
Fix #27359: Pasting long text crashes blender
Actual problem was caused by insufficient buffer size
in ui_text_leftclip()
Also fixed possible invalid memory write in GHOST_SystemWin32::getClipboard
which was caused by accessing clipboard buffer after closing
clipboard. This mustn't happen.
Also fixed possible crush when buffer was failed to be locked.
Modified Paths:
--------------
trunk/blender/intern/ghost/intern/GHOST_SystemWin32.cpp
trunk/blender/source/blender/editors/interface/interface_widgets.c
Modified: trunk/blender/intern/ghost/intern/GHOST_SystemWin32.cpp
===================================================================
--- trunk/blender/intern/ghost/intern/GHOST_SystemWin32.cpp 2011-05-12 16:47:36 UTC (rev 36644)
+++ trunk/blender/intern/ghost/intern/GHOST_SystemWin32.cpp 2011-05-12 16:49:53 UTC (rev 36645)
@@ -1178,25 +1178,28 @@
char *temp_buff;
if ( IsClipboardFormatAvailable(CF_TEXT) && OpenClipboard(NULL) ) {
+ size_t len = 0;
HANDLE hData = GetClipboardData( CF_TEXT );
if (hData == NULL) {
CloseClipboard();
return NULL;
}
buffer = (char*)GlobalLock( hData );
+ if (!buffer) {
+ return NULL;
+ }
- temp_buff = (char*) malloc(strlen(buffer)+1);
- strcpy(temp_buff, buffer);
+ len = strlen(buffer);
+ temp_buff = (char*) malloc(len+1);
+ strncpy(temp_buff, buffer, len);
+ temp_buff[len] = '\0';
+ /* Buffer mustn't be accessed after CloseClipboard
+ it would like accessing free-d memory */
GlobalUnlock( hData );
CloseClipboard();
- temp_buff[strlen(buffer)] = '\0';
- if (buffer) {
- return (GHOST_TUns8*)temp_buff;
- } else {
- return NULL;
- }
+ return (GHOST_TUns8*)temp_buff;
} else {
return NULL;
}
Modified: trunk/blender/source/blender/editors/interface/interface_widgets.c
===================================================================
--- trunk/blender/source/blender/editors/interface/interface_widgets.c 2011-05-12 16:47:36 UTC (rev 36644)
+++ trunk/blender/source/blender/editors/interface/interface_widgets.c 2011-05-12 16:49:53 UTC (rev 36645)
@@ -888,7 +888,7 @@
/* textbut exception, clip right when... */
if(but->editstr && but->pos >= 0) {
float width;
- char buf[256];
+ char buf[UI_MAX_DRAW_STR];
/* copy draw string */
BLI_strncpy(buf, but->drawstr, sizeof(buf));
More information about the Bf-blender-cvs
mailing list