From 06f590456f2b22eccb54f6c097beaea2cb72f8be Mon Sep 17 00:00:00 2001 From: Benjamin Otte Date: Sat, 26 Mar 2011 14:44:12 +0100 Subject: [PATCH] widgetpath: Sanitize pos argument for iters correctly The comparison done was off by one and would have caused invalid reads or writes. --- gtk/gtkwidgetpath.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/gtk/gtkwidgetpath.c b/gtk/gtkwidgetpath.c index 431cc4bb09..177f7b866d 100644 --- a/gtk/gtkwidgetpath.c +++ b/gtk/gtkwidgetpath.c @@ -291,7 +291,7 @@ gtk_widget_path_iter_get_object_type (const GtkWidgetPath *path, g_return_val_if_fail (path != NULL, G_TYPE_INVALID); g_return_val_if_fail (path->elems->len != 0, G_TYPE_INVALID); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -319,7 +319,7 @@ gtk_widget_path_iter_set_object_type (GtkWidgetPath *path, g_return_if_fail (path != NULL); g_return_if_fail (path->elems->len != 0); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -346,7 +346,7 @@ gtk_widget_path_iter_get_name (const GtkWidgetPath *path, g_return_val_if_fail (path != NULL, NULL); g_return_val_if_fail (path->elems->len != 0, NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -375,7 +375,7 @@ gtk_widget_path_iter_set_name (GtkWidgetPath *path, g_return_if_fail (path->elems->len != 0); g_return_if_fail (name != NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -407,7 +407,7 @@ gtk_widget_path_iter_has_qname (const GtkWidgetPath *path, g_return_val_if_fail (path->elems->len != 0, FALSE); g_return_val_if_fail (qname != 0, FALSE); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -438,7 +438,7 @@ gtk_widget_path_iter_has_name (const GtkWidgetPath *path, g_return_val_if_fail (path != NULL, FALSE); g_return_val_if_fail (path->elems->len != 0, FALSE); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; qname = g_quark_try_string (name); @@ -475,7 +475,7 @@ gtk_widget_path_iter_add_class (GtkWidgetPath *path, g_return_if_fail (path->elems->len != 0); g_return_if_fail (name != NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -532,7 +532,7 @@ gtk_widget_path_iter_remove_class (GtkWidgetPath *path, g_return_if_fail (path->elems->len != 0); g_return_if_fail (name != NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; qname = g_quark_try_string (name); @@ -580,7 +580,7 @@ gtk_widget_path_iter_clear_classes (GtkWidgetPath *path, g_return_if_fail (path != NULL); g_return_if_fail (path->elems->len != 0); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -618,7 +618,7 @@ gtk_widget_path_iter_list_classes (const GtkWidgetPath *path, g_return_val_if_fail (path != NULL, NULL); g_return_val_if_fail (path->elems->len != 0, NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -662,7 +662,7 @@ gtk_widget_path_iter_has_qclass (const GtkWidgetPath *path, g_return_val_if_fail (path->elems->len != 0, FALSE); g_return_val_if_fail (qname != 0, FALSE); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -709,7 +709,7 @@ gtk_widget_path_iter_has_class (const GtkWidgetPath *path, g_return_val_if_fail (path->elems->len != 0, FALSE); g_return_val_if_fail (name != NULL, FALSE); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; qname = g_quark_try_string (name); @@ -750,7 +750,7 @@ gtk_widget_path_iter_add_region (GtkWidgetPath *path, g_return_if_fail (name != NULL); g_return_if_fail (_gtk_style_context_check_region_name (name)); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -787,7 +787,7 @@ gtk_widget_path_iter_remove_region (GtkWidgetPath *path, g_return_if_fail (path->elems->len != 0); g_return_if_fail (name != NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; qname = g_quark_try_string (name); @@ -820,7 +820,7 @@ gtk_widget_path_iter_clear_regions (GtkWidgetPath *path, g_return_if_fail (path != NULL); g_return_if_fail (path->elems->len != 0); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -856,7 +856,7 @@ gtk_widget_path_iter_list_regions (const GtkWidgetPath *path, g_return_val_if_fail (path != NULL, NULL); g_return_val_if_fail (path->elems->len != 0, NULL); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -904,7 +904,7 @@ gtk_widget_path_iter_has_qregion (const GtkWidgetPath *path, g_return_val_if_fail (path->elems->len != 0, FALSE); g_return_val_if_fail (qname != 0, FALSE); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; elem = &g_array_index (path->elems, GtkPathElement, pos); @@ -949,7 +949,7 @@ gtk_widget_path_iter_has_region (const GtkWidgetPath *path, g_return_val_if_fail (path->elems->len != 0, FALSE); g_return_val_if_fail (name != NULL, FALSE); - if (pos < 0 || pos > path->elems->len) + if (pos < 0 || pos >= path->elems->len) pos = path->elems->len - 1; qname = g_quark_try_string (name);