From 1bef30d5030ef5fc1a94cad98b069daa92293fb2 Mon Sep 17 00:00:00 2001 From: Manolo Gouy Date: Mon, 30 May 2011 16:47:48 +0000 Subject: [PATCH] Fix STR #2647: crash when copying text from firefox under X11. git-svn-id: file:///fltk/svn/fltk/branches/branch-1.3@8764 ea41ed52-d2ee-0310-a9c1-e6b18d33e121 --- src/Fl_x.cxx | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/Fl_x.cxx b/src/Fl_x.cxx index 00274b315..c196b6e5c 100644 --- a/src/Fl_x.cxx +++ b/src/Fl_x.cxx @@ -945,7 +945,7 @@ int fl_handle(const XEvent& thisevent) // bugs in X servers, or maybe to avoid an extra round-trip to // get the property length. I copy this here: Atom actual; int format; unsigned long count, remaining; - unsigned char* portion; + unsigned char* portion = NULL; if (XGetWindowProperty(fl_display, fl_xevent->xselection.requestor, fl_xevent->xselection.property, @@ -971,18 +971,17 @@ int fl_handle(const XEvent& thisevent) fl_event_time); return true; } - XTextProperty text_prop; - text_prop.value=portion; - text_prop.format=format; - text_prop.encoding=actual; - text_prop.nitems=count; - char **text_list; - text_list = (char**)&portion; - int bytesnew = strlen(*text_list)+1; - buffer = (unsigned char*)realloc(buffer, bytesread+bytesnew+remaining); - memcpy(buffer+bytesread, *text_list, bytesnew); + // Make sure we got something sane... + if ((portion == NULL) || (format != 8) || (count == 0)) { + if (portion) XFree(portion); + return true; + } + buffer = (unsigned char*)realloc(buffer, bytesread+count+remaining+1); + memcpy(buffer+bytesread, portion, count); XFree(portion); - bytesread += bytesnew - 1; + bytesread += count; + // Cannot trust data to be null terminated + buffer[bytesread] = '\0'; if (!remaining) break; } if (buffer) {