From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Johan =?UTF-8?Q?Bockg=C3=A5rd?= <bojohan@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#6855: 24.0.50; Bug in tool bar label handling
Date: Sat, 14 Aug 2010 14:04:25 +0200
Message-ID: <877hjt1jue.fsf@gnu.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: dough.gmane.org 1281791340 26529 80.91.229.12 (14 Aug 2010 13:09:00 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sat, 14 Aug 2010 13:09:00 +0000 (UTC)
To: 6855@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Aug 14 15:08:59 2010
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1OkGTm-0007z6-NG
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 14 Aug 2010 15:08:55 +0200
Original-Received: from localhost ([127.0.0.1]:48144 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1OkGTl-0003e5-J1
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 14 Aug 2010 09:08:53 -0400
Original-Received: from [140.186.70.92] (port=39008 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OkGTc-0003bU-7j
	for bug-gnu-emacs@gnu.org; Sat, 14 Aug 2010 09:08:45 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1OkGTa-0000xE-3E
	for bug-gnu-emacs@gnu.org; Sat, 14 Aug 2010 09:08:44 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:52752)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1OkGTa-0000xA-1X
	for bug-gnu-emacs@gnu.org; Sat, 14 Aug 2010 09:08:42 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1OkG8c-0004TP-6M; Sat, 14 Aug 2010 08:47:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Johan =?UTF-8?Q?Bockg=C3=A5rd?= <bojohan@gnu.org>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-To: owner@debbugs.gnu.org
Resent-CC: jan.h.d@swipnet.se, bug-gnu-emacs@gnu.org
Resent-Date: Sat, 14 Aug 2010 12:47:02 +0000
Resent-Message-ID: <handler.6855.B.128179000017186@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 6855
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
X-Debbugs-Original-Xcc: jan.h.d@swipnet.se
Original-Received: via spool by submit@debbugs.gnu.org id=B.128179000017186
	(code B ref -1); Sat, 14 Aug 2010 12:47:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 14 Aug 2010 12:46:40 +0000
Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1OkG8F-0004T9-Vx
	for submit@debbugs.gnu.org; Sat, 14 Aug 2010 08:46:40 -0400
Original-Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <bojohan@gnu.org>) id 1OkG8E-0004T4-68
	for submit@debbugs.gnu.org; Sat, 14 Aug 2010 08:46:38 -0400
Original-Received: from lists.gnu.org ([199.232.76.165]:51184)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <bojohan@gnu.org>) id 1OkFTT-0003xz-5e
	for submit@debbugs.gnu.org; Sat, 14 Aug 2010 08:04:31 -0400
Original-Received: from [140.186.70.92] (port=49092 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OkFTR-0000GJ-Ty
	for bug-gnu-emacs@gnu.org; Sat, 14 Aug 2010 08:04:30 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <bojohan@gnu.org>) id 1OkFTP-0000SB-Sk
	for bug-gnu-emacs@gnu.org; Sat, 14 Aug 2010 08:04:29 -0400
Original-Received: from smtprelay-b11.telenor.se ([62.127.194.20]:37625)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <bojohan@gnu.org>) id 1OkFTP-0000S3-Ji
	for bug-gnu-emacs@gnu.org; Sat, 14 Aug 2010 08:04:27 -0400
Original-Received: from ipb1.telenor.se (ipb1.telenor.se [195.54.127.164])
	by smtprelay-b11.telenor.se (Postfix) with ESMTP id 6F906E9694
	for <bug-gnu-emacs@gnu.org>; Sat, 14 Aug 2010 14:04:26 +0200 (CEST)
X-SENDER-IP: [85.228.195.132]
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuQ6AIcjZkxV5MOEPGdsb2JhbACTNI0QDAEBAQE1LbsGhTsE
X-IronPort-AV: E=Sophos;i="4.55,367,1278280800"; d="scan'208";a="119214920"
Original-Received: from c-84c3e455.04-211-6c6b701.cust.bredbandsbolaget.se (HELO
	muon.localdomain) ([85.228.195.132])
	by ipb1.telenor.se with ESMTP; 14 Aug 2010 14:04:26 +0200
Original-Received: by muon.localdomain (Postfix, from userid 1000)
	id 4C37F4841C1; Sat, 14 Aug 2010 14:04:25 +0200 (CEST)
Mail-Copies-To: never
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6,
	seldom 2.4 (older, 4)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
Resent-Date: Sat, 14 Aug 2010 08:47:02 -0400
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:39476
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/39476>


There are some bugs in the handling of tool bar labels that can cause
Emacs to crash.



### gtkutil.c: update_frame_tool_bar ###

    char *label = SSDATA (PROP (TOOL_BAR_ITEM_LABEL));

Here we take string data out.



### keyboard.c: parse_tool_bar_item ###

      else if (EQ (key, QClabel))
        {
          /* `:label LABEL-STRING'.  */
          PROP (TOOL_BAR_ITEM_LABEL) = value;
          have_label = 1;
        }

But here we put an arbitrary object in.


...

  if (!have_label)

...
      char buf[64];
      EMACS_INT max_lbl = 2*tool_bar_max_label_size;
      Lisp_Object new_lbl;

      if (strlen (caption) < max_lbl && caption[0] != '\0')
        {
          strcpy (buf, caption);

tool-bar-max-label-size is a user variable, so this can mean a buffer
overflow.


...
      if (SCHARS (new_lbl) <= tool_bar_max_label_size)
        PROP (TOOL_BAR_ITEM_LABEL) = new_lbl;

If we came here but the branch is not taken, the label will be nil,
not a string.