diff --git a/ChangeLog b/ChangeLog index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/ChangeLog.pre-2-0 b/ChangeLog.pre-2-0 index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog.pre-2-0 +++ b/ChangeLog.pre-2-0 @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/ChangeLog.pre-2-10 b/ChangeLog.pre-2-10 index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog.pre-2-10 +++ b/ChangeLog.pre-2-10 @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/ChangeLog.pre-2-2 b/ChangeLog.pre-2-2 index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog.pre-2-2 +++ b/ChangeLog.pre-2-2 @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/ChangeLog.pre-2-4 b/ChangeLog.pre-2-4 index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog.pre-2-4 +++ b/ChangeLog.pre-2-4 @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/ChangeLog.pre-2-6 b/ChangeLog.pre-2-6 index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog.pre-2-6 +++ b/ChangeLog.pre-2-6 @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/ChangeLog.pre-2-8 b/ChangeLog.pre-2-8 index dd6c6a3992..cdf5e33cf9 100644 --- a/ChangeLog.pre-2-8 +++ b/ChangeLog.pre-2-8 @@ -1,3 +1,15 @@ +Tue May 12 02:17:19 1998 Tim Janik + + [security audit by Alan Cox] + + * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not + exceed maximum assumed size. + + * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does + not exceed maximum assumed size. + (gtk_menu_factory_remove): likewise. + (gtk_menu_factory_find_recurse): likewise. + Tue May 12 00:21:33 1998 Tim Janik * gtk/gtkwidget.c (gtk_widget_queue_resize): queue the idle_sizer with diff --git a/gtk/gtkmenufactory.c b/gtk/gtkmenufactory.c index a2045e6cd3..2ed91d3d69 100644 --- a/gtk/gtkmenufactory.c +++ b/gtk/gtkmenufactory.c @@ -216,6 +216,13 @@ gtk_menu_factory_create (GtkMenuFactory *factory, */ if (!path || path[0] == '\0') return; + else if (strlen (path) >= 250) + { + /* security audit + */ + g_warning ("gtk_menu_factory_create(): argument `path' exceeds maximum size."); + return; + } /* Strip off the next part of the path. */ @@ -329,7 +336,14 @@ gtk_menu_factory_remove (GtkMenuFactory *factory, if (!path || path[0] == '\0') return; - + else if (strlen (path) >= 250) + { + /* security audit + */ + g_warning ("gtk_menu_factory_remove(): argument `path' exceeds maximum size."); + return; + } + p = strchr (path, '/'); if (!p) @@ -468,7 +482,14 @@ gtk_menu_factory_find_recurse (GtkMenuFactory *factory, if (!path || path[0] == '\0') return NULL; - + else if (strlen (path) >= 250) + { + /* security audit + */ + g_warning ("gtk_menu_factory_find_recurse(): argument `path' exceeds maximum size."); + return NULL; + } + p = strchr (path, '/'); if (!p) diff --git a/gtk/gtkobject.c b/gtk/gtkobject.c index c1ca971d1f..d7e684f3c8 100644 --- a/gtk/gtkobject.c +++ b/gtk/gtkobject.c @@ -940,9 +940,19 @@ gtk_object_get_arg_type (const gchar *arg_name) gchar buffer[1024]; gchar *t; + g_return_val_if_fail (arg_name != NULL, 0); + if (!arg_info_ht) return GTK_TYPE_INVALID; + if (!arg_name || strlen (arg_name) > 1000) + { + /* security audit + */ + g_warning ("gtk_object_get_arg_type(): argument `arg_name' exceeds maximum size."); + return 0; + } + t = strchr (arg_name, ':'); if (!t || (t[0] != ':') || (t[1] != ':')) {