Don't corrupt memory when faced with paths with ridiculously large

2007-01-08  Matthias Clasen  <mclasen@redhat.com>

        * gtk/gtktreemodel.c (gtk_tree_path_to_string): Don't
        corrupt memory when faced with paths with ridiculously
        large indices. Found by the GTKVTS test suite.

svn path=/trunk/; revision=17116

diff --git a/ChangeLog b/ChangeLog
index 814a066a1414b9c2740b2e3e00a6cefc08d0c20e..e975906faa3c8b656d3bb592a6ffe6a018c018a6 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2007-01-08  Matthias Clasen  <mclasen@redhat.com>
+
+       * gtk/gtktreemodel.c (gtk_tree_path_to_string): Don't 
+       corrupt memory when faced with paths with ridiculously
+       large indices. Found by the GTKVTS test suite.  
+
 2007-01-08  Matthias Clasen  <mclasen@redhat.com>
 
        * gtk/gtkmodules.c (_gtk_modules_init): Set 

diff --git a/gtk/gtktreemodel.c b/gtk/gtktreemodel.c
index a34e2af2ff868253ee479b5bf4f63c7706ac4b72..88022b805bde8496fc6629981e9972373cff2488 100644 (file)
--- a/gtk/gtktreemodel.c
+++ b/gtk/gtktreemodel.c
@@ -494,22 +494,24 @@ gtk_tree_path_new_from_indices (gint first_index,
 gchar *
 gtk_tree_path_to_string (GtkTreePath *path)
 {
-  gchar *retval, *ptr;
-  gint i;
+  gchar *retval, *ptr, *end;
+  gint i, n;
 
   g_return_val_if_fail (path != NULL, NULL);
 
   if (path->depth == 0)
     return NULL;
 
-  ptr = retval = g_new0 (gchar, path->depth*8);
-  g_sprintf (retval, "%d", path->indices[0]);
-  while (*ptr != '\000')
+  n = path->depth * 12;
+  ptr = retval = g_new0 (gchar, n);
+  end = ptr + n;
+  g_snprintf (retval, end - ptr, "%d", path->indices[0]);
+  while (*ptr != '\000') 
     ptr++;
 
   for (i = 1; i < path->depth; i++)
     {
-      g_sprintf (ptr, ":%d", path->indices[i]);
+      g_snprintf (ptr, end - ptr, ":%d", path->indices[i]);
       while (*ptr != '\000')
        ptr++;
     }