Potential buffer overrun and uninit variable fixed, bug 6855.

* keyboard.c (parse_tool_bar_item): malloc buf.  Set TOOL_BAR_ITEM_LABEL
to empty string if not set to new_lbl (Bug#6855).

2 files changed, 10 insertions, 2 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 7c76e905c42..316487359cb 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2010-08-15  Jan Djärv  <jan.h.d@swipnet.se>
+
+        * keyboard.c (parse_tool_bar_item): malloc buf.  Set TOOL_BAR_ITEM_LABEL
+        to empty string if not set to new_lbl (Bug#6855).
+
 2010-08-14  Eli Zaretskii  <eliz@gnu.org>
 
         * xterm.c (x_draw_stretch_glyph_string):
diff --git a/src/keyboard.c b/src/keyboard.c
index c92d359f66a..8691788f418 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -8328,14 +8328,14 @@ parse_tool_bar_item (Lisp_Object key, Lisp_Object item)
       Lisp_Object capt = PROP (TOOL_BAR_ITEM_CAPTION);
       const char *label = SYMBOLP (key) ? (char *) SDATA (SYMBOL_NAME (key)) : "";
       const char *caption = STRINGP (capt) ? (char *) SDATA (capt) : "";
-      char buf[64];
       EMACS_INT max_lbl = 2*tool_bar_max_label_size;
+      char *buf = (char *) xmalloc (max_lbl+1);
       Lisp_Object new_lbl;
 
       if (strlen (caption) < max_lbl && caption[0] != '\0')
         {
           strcpy (buf, caption);
-          while (buf[0] != '\0' &&  buf[strlen (buf) -1] == '.')
+          while (buf[0] != '\0' && buf[strlen (buf) -1] == '.')
             buf[strlen (buf)-1] = '\0';
           if (strlen (buf) <= max_lbl)
             caption = buf;
@@ -8361,6 +8361,9 @@ parse_tool_bar_item (Lisp_Object key, Lisp_Object item)
       new_lbl = Fupcase_initials (make_string (label, strlen (label)));
       if (SCHARS (new_lbl) <= tool_bar_max_label_size)
         PROP (TOOL_BAR_ITEM_LABEL) = new_lbl;
+      else
+        PROP (TOOL_BAR_ITEM_LABEL) = make_string ("", 0);
+      free (buf);
     }
 
   /* If got a filter apply it on binding.  */