From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@stupidchicken.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#4763: Buffer overflow in ns_get_color (nsterm.m:1347)
Date: Fri, 01 Jan 2010 17:11:38 -0500
Message-ID: <87ocldxyp1.fsf@stupidchicken.com>
Reply-To: Chong Yidong <cyd@stupidchicken.com>, 4763@debbugs.gnu.org
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1262384414 11146 80.91.229.12 (1 Jan 2010 22:20:14 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 1 Jan 2010 22:20:14 +0000 (UTC)
Cc: 4763@debbugs.gnu.org
To: Mike <deactivated@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Jan 01 23:20:06 2010
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1NQpqm-0001cq-Ct
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 01 Jan 2010 23:20:04 +0100
Original-Received: from localhost ([127.0.0.1]:51276 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1NQpqm-0005nP-Hp
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 01 Jan 2010 17:20:04 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NQpqh-0005n8-AI
	for bug-gnu-emacs@gnu.org; Fri, 01 Jan 2010 17:19:59 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NQpqW-0005mH-SV
	for bug-gnu-emacs@gnu.org; Fri, 01 Jan 2010 17:19:59 -0500
Original-Received: from [199.232.76.173] (port=47527 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NQpqW-0005mE-OB
	for bug-gnu-emacs@gnu.org; Fri, 01 Jan 2010 17:19:48 -0500
Original-Received: from [140.186.70.43] (port=34284 helo=debbugs.gnu.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1NQpqV-0001Z6-2g
	for bug-gnu-emacs@gnu.org; Fri, 01 Jan 2010 17:19:48 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1NQpiz-0001jy-RM; Fri, 01 Jan 2010 17:12:01 -0500
X-Loop: bug-gnu-emacs@gnu.org
Mail-Followup-To: Chong Yidong <cyd@stupidchicken.com>, 4763@debbugs.gnu.org
Resent-From: Chong Yidong <cyd@stupidchicken.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-To: owner@debbugs.gnu.org
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 01 Jan 2010 22:12:01 +0000
Resent-Message-ID: <handler.4763.B4763.12623839176684@debbugs.gnu.org>
Resent-Sender: bug-gnu-emacs@gnu.org
X-Emacs-PR-Message: followup 4763
X-Emacs-PR-Package: emacs,ns
X-Emacs-PR-Keywords: 
Original-Received: via spool by 4763-submit@debbugs.gnu.org id=B4763.12623839176684
	(code B ref 4763); Fri, 01 Jan 2010 22:12:01 +0000
Original-Received: (at 4763) by debbugs.gnu.org; 1 Jan 2010 22:11:57 +0000
Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1NQpiu-0001jl-SE
	for submit@debbugs.gnu.org; Fri, 01 Jan 2010 17:11:57 -0500
Original-Received: from pantheon-po29.its.yale.edu ([130.132.50.124])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <cyd@stupidchicken.com>) id 1NQpih-0001jg-Ab
	for 4763@debbugs.gnu.org; Fri, 01 Jan 2010 17:11:55 -0500
Original-Received: from furry (162.254.218.209.transedge.com [209.218.254.162])
	(authenticated bits=0)
	by pantheon-po29.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id
	o01MBc2h009487
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Fri, 1 Jan 2010 17:11:39 -0500
Original-Received: by furry (Postfix, from userid 1000)
	id 8DC20C05D; Fri,  1 Jan 2010 17:11:38 -0500 (EST)
X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
X-Spam-Score: -2.6 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
X-Spam-Score: -2.7 (--)
Resent-Date: Fri, 01 Jan 2010 17:12:01 -0500
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 3)
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:33837
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/33837>

>    1347   else if (!strncmp(name, "rgb:", 4))  /* A newer X11 format
> -- rgb:r/g/b */
>    1348     {
>    1349       strcpy(hex, name + 4);
>    1350       scaling = (strlen(hex) - 2) / 3;
>    1351     }
>
> strcpy will happily overwrite the bounds of hex.

Thanks for catching this.  I've checked in a fix.