[security audit by Alan Cox]

Tue May 12 02:31:57 1998  Tim Janik  <timj@gtk.org>

        [security audit by Alan Cox]

        * gtk/gtkobject.c (gtk_object_get_arg_type): check for arg_name to not
        exceed maximum assumed size.

        * gtk/gtkmenufactory.c (gtk_menu_factory_create): check that `path' does
        not exceed maximum assumed size.
        (gtk_menu_factory_remove): likewise.
        (gtk_menu_factory_find_recurse): likewise.

1 files changed, 23 insertions, 2 deletions

diff --git a/gtk/gtkmenufactory.c b/gtk/gtkmenufactory.c
index a2045e6cd..2ed91d3d6 100644
--- a/gtk/gtkmenufactory.c
+++ b/gtk/gtkmenufactory.c
@@ -216,6 +216,13 @@ gtk_menu_factory_create (GtkMenuFactory *factory,
    */
   if (!path || path[0] == '\0')
     return;
+  else if (strlen (path) >= 250)
+    {
+      /* security audit
+       */
+      g_warning ("gtk_menu_factory_create(): argument `path' exceeds maximum size.");
+      return;
+    }
 
   /* Strip off the next part of the path.
    */
@@ -329,7 +336,14 @@ gtk_menu_factory_remove (GtkMenuFactory *factory,
 
   if (!path || path[0] == '\0')
     return;
-
+  else if (strlen (path) >= 250)
+    {
+      /* security audit
+       */
+      g_warning ("gtk_menu_factory_remove(): argument `path' exceeds maximum size.");
+      return;
+    }
+  
   p = strchr (path, '/');
 
   if (!p)
@@ -468,7 +482,14 @@ gtk_menu_factory_find_recurse (GtkMenuFactory *factory,
 
   if (!path || path[0] == '\0')
     return NULL;
-
+  else if (strlen (path) >= 250)
+    {
+      /* security audit
+       */
+      g_warning ("gtk_menu_factory_find_recurse(): argument `path' exceeds maximum size.");
+      return NULL;
+    }
+  
   p = strchr (path, '/');
 
   if (!p)