tyler.durden
/
notepad-plus-plus
mirror of https://github.com/notepad-plus-plus/notepad-plus-plus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix a possible buffer overflow issue 

Fix possible DockingManager::FindEmptyContainer() buffer overflow.

Fix #15850, close #15851
This commit is contained in:
xomx 2024-11-25 04:12:15 +01:00 committed by Don Ho
parent 287c85f8f0
commit b1237df06a
1 changed files with 43 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
PowerEditor/src/WinControls/DockingWnd/DockingManager.cpp
View File

@ -952,28 +952,39 @@ int DockingManager::GetContainer(DockingCont* pCont)
int DockingManager::FindEmptyContainer() int DockingManager::FindEmptyContainer()
{ {
int iRetCont = -1; int iRetCont = -1;
BOOL* pPrevDockList = (BOOL*) new BOOL[_vContainer.size()+1]; const size_t dockingContVectorSize = _vContainer.size();
BOOL* pArrayPos = &pPrevDockList[1]; const size_t prevDockListBufSize = dockingContVectorSize + 1;
BOOL* pPrevDockList = new BOOL[prevDockListBufSize];
BOOL* pArrayPos = &pPrevDockList[1]; // make a room for the possible iPrevCont==-1 later
// delete all entries // reset all entries
for (size_t iCont = 0, len = _vContainer.size()+1; iCont < len; ++iCont) for (size_t iCont = 0, len = prevDockListBufSize; iCont < len; ++iCont)
{ {
pPrevDockList[iCont] = FALSE; pPrevDockList[iCont] = FALSE;
} }
// search for used floated containers // search for used floating containers
for (size_t iCont = 0; iCont < DOCKCONT_MAX; ++iCont) for (size_t iCont = 0; iCont < DOCKCONT_MAX; ++iCont)
{ {
vector<tTbData*> vTbData = _vContainer[iCont]->getDataOfAllTb(); vector<tTbData*> vTbData = _vContainer[iCont]->getDataOfAllTb();
for (size_t iTb = 0, len = vTbData.size(); iTb < len; ++iTb) for (size_t iTb = 0, len = vTbData.size(); iTb < len; ++iTb)
{
if ((vTbData[iTb]->iPrevCont < static_cast<int>(dockingContVectorSize)) && (vTbData[iTb]->iPrevCont >= -1))
{ {
pArrayPos[vTbData[iTb]->iPrevCont] = TRUE; pArrayPos[vTbData[iTb]->iPrevCont] = TRUE;
} }
else
{
// ? invalid config.xml input data
assert((vTbData[iTb]->iPrevCont < static_cast<int>(dockingContVectorSize)) && (vTbData[iTb]->iPrevCont >= -1));
vTbData[iTb]->iPrevCont = -1; // reset (local copy only)
}
}
} }
// find free container // find free container
for (size_t iCont = DOCKCONT_MAX, len = _vContainer.size(); iCont < len; ++iCont) for (size_t iCont = DOCKCONT_MAX, len = dockingContVectorSize; iCont < len; ++iCont)
{ {
if (pArrayPos[iCont] == FALSE) if (pArrayPos[iCont] == FALSE)
{ {