Fix unsafe use of alloca reported in bug #11138.

 src/w32menu.c (simple_dialog_show, add_menu_item): Use SAFE_ALLOCA
 instead of alloca.

diff --git a/src/ChangeLog b/src/ChangeLog
index ee54c48..ea80129 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2012-04-01  Eli Zaretskii  <eliz@gnu.org>
+
+       * w32menu.c (simple_dialog_show, add_menu_item): Use SAFE_ALLOCA
+       instead of alloca.  (Bug#11138)
+
 2012-04-01  Andreas Schwab  <schwab@linux-m68k.org>
 
        * w32menu.c (is_simple_dialog): Properly check lisp types.

diff --git a/src/w32menu.c b/src/w32menu.c
index b25edf0..9091cb8 100644 (file)
--- a/src/w32menu.c
+++ b/src/w32menu.c
@@ -1231,6 +1231,7 @@ simple_dialog_show (FRAME_PTR f, Lisp_Object contents, Lisp_Object header)
   if (unicode_message_box)
     {
       WCHAR *text, *title;
+      USE_SAFE_ALLOCA;
 
       if (STRINGP (temp))
        {
@@ -1240,7 +1241,7 @@ simple_dialog_show (FRAME_PTR f, Lisp_Object contents, Lisp_Object header)
             one utf16 word, so we cannot simply use the character
             length of temp.  */
          int utf8_len = strlen (utf8_text);
-         text = alloca ((utf8_len + 1) * sizeof (WCHAR));
+         SAFE_ALLOCA (text, WCHAR *, (utf8_len + 1) * sizeof (WCHAR));
          utf8to16 (utf8_text, utf8_len, text);
        }
       else
@@ -1260,6 +1261,7 @@ simple_dialog_show (FRAME_PTR f, Lisp_Object contents, Lisp_Object header)
        }
 
       answer = unicode_message_box (FRAME_W32_WINDOW (f), text, title, type);
+      SAFE_FREE ();
     }
   else
     {
@@ -1366,6 +1368,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
   char *out_string, *p, *q;
   int return_value;
   size_t nlen, orig_len;
+  USE_SAFE_ALLOCA;
 
   if (menu_separator_name_p (wv->name))
     {
@@ -1381,7 +1384,8 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
 
       if (wv->key != NULL)
        {
-         out_string = alloca (strlen (wv->name) + strlen (wv->key) + 2);
+         SAFE_ALLOCA (out_string, char *,
+                      strlen (wv->name) + strlen (wv->key) + 2);
          strcpy (out_string, wv->name);
          strcat (out_string, "\t");
          strcat (out_string, wv->key);
@@ -1415,7 +1419,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
       if (nlen > orig_len)
         {
           p = out_string;
-          out_string = alloca (nlen + 1);
+          SAFE_ALLOCA (out_string, char *, nlen + 1);
           q = out_string;
           while (*p)
             {
@@ -1475,7 +1479,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
       if (fuFlags & MF_OWNERDRAW)
        utf16_string = local_alloc ((utf8_len + 1) * sizeof (WCHAR));
       else
-       utf16_string = alloca ((utf8_len + 1) * sizeof (WCHAR));
+       SAFE_ALLOCA (utf16_string, WCHAR *, (utf8_len + 1) * sizeof (WCHAR));
 
       utf8to16 (out_string, utf8_len, utf16_string);
       return_value = unicode_append_menu (menu, fuFlags,
@@ -1544,6 +1548,7 @@ add_menu_item (HMENU menu, widget_value *wv, HMENU item)
                              FALSE, &info);
        }
     }
+  SAFE_FREE ();
   return return_value;
 }