Fix a possible buffer overflow issue

Fix possible DockingManager::FindEmptyContainer() buffer overflow. Fix #15850, close #15851
2024-11-25 04:12:15 +01:00 · 2024-11-25 04:12:15 +01:00 · b1237df06a
parent 287c85f8f0
commit b1237df06a
1 changed files with 43 additions and 32 deletions
--- a/PowerEditor/src/WinControls/DockingWnd/DockingManager.cpp
+++ b/PowerEditor/src/WinControls/DockingWnd/DockingManager.cpp
@ -951,43 +951,54 @@ int DockingManager::GetContainer(DockingCont* pCont)
 int DockingManager::FindEmptyContainer()
 {
-    int      iRetCont       = -1;
+	int iRetCont = -1;
-    BOOL*    pPrevDockList  = (BOOL*) new BOOL[_vContainer.size()+1];
+	const size_t dockingContVectorSize = _vContainer.size();
-    BOOL*    pArrayPos      = &pPrevDockList[1];
+	const size_t prevDockListBufSize = dockingContVectorSize + 1;
 	BOOL* pPrevDockList = new BOOL[prevDockListBufSize];
 	BOOL* pArrayPos = &pPrevDockList[1]; // make a room for the possible iPrevCont==-1 later
-    // delete all entries
+	// reset all entries
-    for (size_t iCont = 0, len = _vContainer.size()+1; iCont < len; ++iCont)
+	for (size_t iCont = 0, len = prevDockListBufSize; iCont < len; ++iCont)
-    {
+	{
-        pPrevDockList[iCont] = FALSE;
+		pPrevDockList[iCont] = FALSE;
-    }
+	}
-    // search for used floated containers
+	// search for used floating containers
-    for (size_t iCont = 0; iCont < DOCKCONT_MAX; ++iCont)
+	for (size_t iCont = 0; iCont < DOCKCONT_MAX; ++iCont)
-    {
+	{
-        vector<tTbData*>    vTbData = _vContainer[iCont]->getDataOfAllTb();
+		vector<tTbData*> vTbData = _vContainer[iCont]->getDataOfAllTb();
-        for (size_t iTb = 0, len = vTbData.size(); iTb < len; ++iTb)
+		for (size_t iTb = 0, len = vTbData.size(); iTb < len; ++iTb)
-        {
+		{
-            pArrayPos[vTbData[iTb]->iPrevCont] = TRUE;
+			if ((vTbData[iTb]->iPrevCont < static_cast<int>(dockingContVectorSize)) && (vTbData[iTb]->iPrevCont >= -1))
-        }
+			{
-    }
+				pArrayPos[vTbData[iTb]->iPrevCont] = TRUE;
 			}
 			else
 			{
 				// ? invalid config.xml input data
 				assert((vTbData[iTb]->iPrevCont < static_cast<int>(dockingContVectorSize)) && (vTbData[iTb]->iPrevCont >= -1));
 				vTbData[iTb]->iPrevCont = -1; // reset (local copy only)
 			}
 		}
 	}
-    // find free container
+	// find free container
-    for (size_t iCont = DOCKCONT_MAX, len = _vContainer.size(); iCont < len; ++iCont)
+	for (size_t iCont = DOCKCONT_MAX, len = dockingContVectorSize; iCont < len; ++iCont)
-    {
+	{
-        if (pArrayPos[iCont] == FALSE)
+		if (pArrayPos[iCont] == FALSE)
-        {
+		{
-            // and test if container is hidden
+			// and test if container is hidden
-            if (!_vContainer[iCont]->isVisible())
+			if (!_vContainer[iCont]->isVisible())
-            {
+			{
 				iRetCont = static_cast<int32_t>(iCont);
-                break;
+				break;
-            }
+			}
-        }
+		}
-    }
+	}
-    delete [] pPrevDockList;
+	delete [] pPrevDockList;
-    // search for empty arrays
+	// search for empty arrays
-    return iRetCont;
+	return iRetCont;
 }