diff options
| author | Michal Srb <msrb@suse.com> | 2017-07-20 13:38:53 +0200 |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2017-10-04 20:46:08 +0200 |
| commit | d1e670a4a8704b8708e493ab6155589bcd570608 (patch) | |
| tree | 0457805fd931f65aadd3b3ed4a32fc26d2728573 | |
| parent | 9112a6846b9d8ff18f7568c58e06d0a450e25814 (diff) | |
Check for end of string in PatternMatch (CVE-2017-13720)
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>
| -rw-r--r-- | src/fontfile/fontdir.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index 4ce2473..996b7d1 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes) } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0'); |