bug#29523: 25.3; buffer overflow in ns-font-name on mac

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#29523: 25.3; buffer overflow in ns-font-name on mac

From:	Alan Third
Subject:	bug#29523: 25.3; buffer overflow in ns-font-name on mac
Date:	Fri, 1 Dec 2017 19:43:08 +0000
User-agent:	Mutt/1.9.1 (2017-09-22)

On Fri, Dec 01, 2017 at 11:53:34PM +0900, Yuuki Harano wrote:
> After I evaluate this code on mac Emacs:
> 
> (let ((font-name "") (i 0))
>   (while (< i 100)
>     (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
>     (setq i (1+ i)))
>   (setq font-name (concat "-*-" font-name "-"))
>   (ns-font-name font-name)
>   )
> 
> then, Emacs crashes.
> 
> The bug is in ns_xlfd_to_fontname() in nsterm.m:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> 
> The positions of "179" are incorrect. They should be:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks for the fix. I expect this is copyright exempt, so I’ll push
the fix to emacs-26 soon.
-- 
Alan Third

[Prev in Thread]

Current Thread

[Next in Thread]

bug#29523: 25.3; buffer overflow in ns-font-name on mac, Yuuki Harano, 2017/12/01
- bug#29523: 25.3; buffer overflow in ns-font-name on mac, Alan Third <=
  - bug#29523: 25.3; buffer overflow in ns-font-name on mac, Eli Zaretskii, 2017/12/02
    - bug#29523: 25.3; buffer overflow in ns-font-name on mac, Alan Third, 2017/12/02

Prev by Date: bug#29272: 26.0.90; "C-h k C-mouse-3" followed by menu selection asks for more keys
Next by Date: bug#29524: 25.3; Typo in elisp info page Sequences Arrays Vectors -> Sequence functions
Previous by thread: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Next by thread: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Index(es):
- Date
- Thread