From 79bbd4aca5be5dd702d9b484b06f65b8bf7a1b2d Mon Sep 17 00:00:00 2001 From: Daniel Boles Date: Tue, 1 Aug 2017 19:57:51 +0100 Subject: [PATCH] cssselector: Ensure we do not index out of bounds This would only happen if the last element was deprecated, but it should be avoided anyway. CID 1388852 (#1 of 1): Out-of-bounds read (OVERRUN) 12. overrun-local: Overrunning array pseudo_classes of 16 32-byte elements at element index 16 (byte offset 512) using index i + 1U (which evaluates to 16). --- gtk/gtkcssselector.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gtk/gtkcssselector.c b/gtk/gtkcssselector.c index b2b0260af7..40c43559f5 100644 --- a/gtk/gtkcssselector.c +++ b/gtk/gtkcssselector.c @@ -1124,8 +1124,8 @@ parse_selector_pseudo_class (GtkCssParser *parser, { "visited", 0, GTK_STATE_FLAG_VISITED, }, { "checked", 0, GTK_STATE_FLAG_CHECKED, }, { "drop(active)", 0, GTK_STATE_FLAG_DROP_ACTIVE, } - }; + guint i; if (_gtk_css_parser_try (parser, "nth-child", FALSE)) @@ -1145,7 +1145,8 @@ parse_selector_pseudo_class (GtkCssParser *parser, selector->state.state = pseudo_classes[i].state_flag; if (pseudo_classes[i].deprecated) { - if (pseudo_classes[i + 1].state_flag == pseudo_classes[i].state_flag) + if (i + 1 < G_N_ELEMENTS (pseudo_classes) && + pseudo_classes[i + 1].state_flag == pseudo_classes[i].state_flag) _gtk_css_parser_error_full (parser, GTK_CSS_PROVIDER_ERROR_DEPRECATED, "The :%s pseudo-class is deprecated. Use :%s instead.",