Fix a possible buffer overflow issue

Fix possible DockingManager::FindEmptyContainer() buffer overflow. Fix #15850, close #15851
2024-11-25 04:12:15 +01:00 · 2024-11-25 04:12:15 +01:00 · b1237df06a
parent 287c85f8f0
commit b1237df06a
1 changed files with 43 additions and 32 deletions
--- a/PowerEditor/src/WinControls/DockingWnd/DockingManager.cpp
+++ b/PowerEditor/src/WinControls/DockingWnd/DockingManager.cpp
@ -951,43 +951,54 @@ int DockingManager::GetContainer(DockingCont* pCont)

 int DockingManager::FindEmptyContainer()
 {
-    int      iRetCont       = -1;
-    BOOL*    pPrevDockList  = (BOOL*) new BOOL[_vContainer.size()+1];
-    BOOL*    pArrayPos      = &pPrevDockList[1];
+	int iRetCont = -1;
+	const size_t dockingContVectorSize = _vContainer.size();
+	const size_t prevDockListBufSize = dockingContVectorSize + 1;
+	BOOL* pPrevDockList = new BOOL[prevDockListBufSize];
+	BOOL* pArrayPos = &pPrevDockList[1]; // make a room for the possible iPrevCont==-1 later

-    // delete all entries
-    for (size_t iCont = 0, len = _vContainer.size()+1; iCont < len; ++iCont)
-    {
-        pPrevDockList[iCont] = FALSE;
-    }
+	// reset all entries
+	for (size_t iCont = 0, len = prevDockListBufSize; iCont < len; ++iCont)
+	{
+		pPrevDockList[iCont] = FALSE;
+	}

-    // search for used floated containers
-    for (size_t iCont = 0; iCont < DOCKCONT_MAX; ++iCont)
-    {
-        vector<tTbData*>    vTbData = _vContainer[iCont]->getDataOfAllTb();
+	// search for used floating containers
+	for (size_t iCont = 0; iCont < DOCKCONT_MAX; ++iCont)
+	{
+		vector<tTbData*> vTbData = _vContainer[iCont]->getDataOfAllTb();

-        for (size_t iTb = 0, len = vTbData.size(); iTb < len; ++iTb)
-        {
-            pArrayPos[vTbData[iTb]->iPrevCont] = TRUE;
-        }
-    }
+		for (size_t iTb = 0, len = vTbData.size(); iTb < len; ++iTb)
+		{
+			if ((vTbData[iTb]->iPrevCont < static_cast<int>(dockingContVectorSize)) && (vTbData[iTb]->iPrevCont >= -1))
+			{
+				pArrayPos[vTbData[iTb]->iPrevCont] = TRUE;
+			}
+			else
+			{
+				// ? invalid config.xml input data
+				assert((vTbData[iTb]->iPrevCont < static_cast<int>(dockingContVectorSize)) && (vTbData[iTb]->iPrevCont >= -1));
+				vTbData[iTb]->iPrevCont = -1; // reset (local copy only)
+			}
+		}
+	}

-    // find free container
-    for (size_t iCont = DOCKCONT_MAX, len = _vContainer.size(); iCont < len; ++iCont)
-    {
-        if (pArrayPos[iCont] == FALSE)
-        {
-            // and test if container is hidden
-            if (!_vContainer[iCont]->isVisible())
-            {
+	// find free container
+	for (size_t iCont = DOCKCONT_MAX, len = dockingContVectorSize; iCont < len; ++iCont)
+	{
+		if (pArrayPos[iCont] == FALSE)
+		{
+			// and test if container is hidden
+			if (!_vContainer[iCont]->isVisible())
+			{
 				iRetCont = static_cast<int32_t>(iCont);
-                break;
-            }
-        }
-    }
+				break;
+			}
+		}
+	}

-    delete [] pPrevDockList;
+	delete [] pPrevDockList;

-    // search for empty arrays
-    return iRetCont;
+	// search for empty arrays
+	return iRetCont;
 }