--- Begin Message ---
Subject: |
25.3; buffer overflow in ns-font-name on mac |
Date: |
Fri, 01 Dec 2017 23:53:34 +0900 (JST) |
After I evaluate this code on mac Emacs:
(let ((font-name "") (i 0))
(while (< i 100)
(setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
(setq i (1+ i)))
(setq font-name (concat "-*-" font-name "-"))
(ns-font-name font-name)
)
then, Emacs crashes.
The bug is in ns_xlfd_to_fontname() in nsterm.m:
if (!strncmp (xlfd, "--", 2))
sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
else
sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
The positions of "179" are incorrect. They should be:
if (!strncmp (xlfd, "--", 2))
sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
else
sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
Thanks.
In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version
10.12.6 (Build 16G1036))
of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
'configure --without-x --with-ns --with-modules
PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'
Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES
Important settings:
value of $LANG: ja_JP.UTF-8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
buffer-read-only: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)
Memory information:
((conses 16 220523 8595)
(symbols 48 21882 0)
(miscs 40 81 191)
(strings 32 23156 7162)
(string-bytes 1 718249)
(vectors 16 44445)
(vector-slots 8 816828 4794)
(floats 8 194 21)
(intervals 56 193 0)
(buffers 976 18))
--
Yuuki Harano
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#29523: 25.3; buffer overflow in ns-font-name on mac |
Date: |
Sat, 2 Dec 2017 13:50:21 +0000 |
User-agent: |
Mutt/1.9.1 (2017-09-22) |
On Sat, Dec 02, 2017 at 10:10:09AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 1 Dec 2017 19:43:08 +0000
> > From: Alan Third <address@hidden>
> > Cc: address@hidden
> >
> > > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > >
> > > if (!strncmp (xlfd, "--", 2))
> > > sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > > else
> > > sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > >
> > > The positions of "179" are incorrect. They should be:
> > >
> > > if (!strncmp (xlfd, "--", 2))
> > > sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > > else
> > > sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> >
> > Thanks for the fix. I expect this is copyright exempt
>
> It is.
Thanks for the confirmation. I’ve pushed to emacs-26.
--
Alan Third
--- End Message ---