TGNumberEntry string length checks are inaccurate/dangerous.
Opened this issue · 0 comments
As seen in #16913, there is some attempt to guarantee that there will be no write past the end of buffer in the string manipulations. However in several places, it fall short (literally or maybe missing documentation).
We should consider replacing the fixed size buffer or improving the bound checks.
Namely the routines seems to assume that the buffer has a fixed length of 256 but in several place, the buffer is offset compare to its actual beginning.
StrInt(char *text, Long_t i, Int_t digits) hard-codes the length 250 for its input buffer, we should pass the actual length left there. In particular line TGNumberEntry.cxx:310 and TGNumberEntry.cxx:316 needs to be updated.
We should also review the rest TGNumberEntry.cxx for similar problematic patterns.