summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Richardson <Alexander.Richardson@cl.cam.ac.uk>2021-07-14 17:23:48 +0100
committerAlex Richardson <Alexander.Richardson@cl.cam.ac.uk>2021-07-14 17:23:48 +0100
commitdaff8876379c64c7bee126319af804896f83b5da (patch)
tree2e0100dd43c2c91a74ebca15d3b64c1319473e1d
parentce7a3265019e4d66198c1581d9e8c859c34e8ef1 (diff)
Fix out-of-bounds read in FontFileMakeDir()
BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and this causes the `dirName[dirlen - 1]` access to read before the start of the string. I found this while porting Xvnc to CHERI-RISC-V (which has bounds and permissions on all pointers).
-rw-r--r--src/fontfile/fontdir.c5
1 files changed, 1 insertions, 4 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index f4edc01..c8a6a0e 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -125,10 +125,7 @@ FontFileMakeDir(const char *dirName, int size)
dirlen = strlen(dirName);
attriblen = 0;
}
- if (dirName[dirlen - 1] != '/')
-#ifdef NCD
- if (dirlen) /* leave out slash for builtins */
-#endif
+ if (dirlen && dirName[dirlen - 1] != '/')
needslash = 1;
dir = malloc(sizeof *dir + dirlen + needslash + 1 +
(attriblen ? attriblen + 1 : 0));