diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2018-07-27 16:37:17 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2018-08-21 16:43:06 +0200 |
commit | dbf72805fd9d7b1846fe9a11b46f3994bfc27fea (patch) | |
tree | 8dc343c70e94cca37b5f8d4d495d668176833f01 | |
parent | b469da1430cdcee06e31c6251b83aede072a1ff0 (diff) |
Fixed out of boundary write (CVE-2018-14600).
The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).
Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r-- | src/GetFPath.c | 4 | ||||
-rw-r--r-- | src/ListExt.c | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/src/GetFPath.c b/src/GetFPath.c index 7ad21e9a..813757cc 100644 --- a/src/GetFPath.c +++ b/src/GetFPath.c @@ -70,12 +70,12 @@ char **XGetFontPath( * unpack into null terminated strings. */ chend = ch + nbytes; - length = *ch; + length = *(unsigned char *)ch; for (i = 0; i < rep.nPaths; i++) { if (ch + length < chend) { flist[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *ch; + length = *(unsigned char *)ch; *ch = '\0'; /* and replace with null-termination */ count++; } else diff --git a/src/ListExt.c b/src/ListExt.c index 8f344ac0..0498aa18 100644 --- a/src/ListExt.c +++ b/src/ListExt.c @@ -75,12 +75,12 @@ char **XListExtensions( * unpack into null terminated strings. */ chend = ch + rlen; - length = *ch; + length = *(unsigned char *)ch; for (i = 0; i < rep.nExtensions; i++) { if (ch + length < chend) { list[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *ch; + length = *(unsigned char *)ch; *ch = '\0'; /* and replace with null-termination */ count++; } else |