diff options
author | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2016-09-18 16:25:22 -0700 |
---|---|---|
committer | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2016-09-18 16:25:59 -0700 |
commit | 07b761b0862bcea65b83052b9d960c4459af0466 (patch) | |
tree | 09de5312c641894424c94f5ef47e22e7468f6fc0 | |
parent | ecb248d8865df376a97a795c2e4f58a3bf64c3f1 (diff) |
mkfontscale: Avoid a buffer underrun
https://bugs.freedesktop.org/show_bug.cgi?id=96905
=================================================================
==3068==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000de6f at pc 0x000109df79d1 bp 0x7fff55e37d90 sp 0x7fff55e37550
READ of size 1 at 0x60300000de6f thread T0
#0 0x109df79d0 in wrap_strcmp (libclang_rt.asan_osx_dynamic.dylib+0xe9d0)
#1 0x109dc8ef7 in fontFileOpen (mkfontscale+0x100001ef7)
#2 0x109dc8e0b in bitmapIdentify (mkfontscale+0x100001e0b)
#3 0x109dcc874 in doDirectory (mkfontscale+0x100005874)
#4 0x109dcbc78 in main (mkfontscale+0x100004c78)
#5 0x7fff9083f5ac in start (libdyld.dylib+0x35ac)
#6 0x3 (<unknown module>)
0x60300000de6f is located 1 bytes to the left of 20-byte region [0x60300000de70,0x60300000de84)
allocated by thread T0 here:
#0 0x109e34570 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x4b570)
#1 0x109dca92a in dsprintf (mkfontscale+0x10000392a)
#2 0x109dcc788 in doDirectory (mkfontscale+0x100005788)
#3 0x109dcbc78 in main (mkfontscale+0x100004c78)
#4 0x7fff9083f5ac in start (libdyld.dylib+0x35ac)
#5 0x3 (<unknown module>)
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-rw-r--r-- | ident.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -83,7 +83,7 @@ static inline void * fontFileOpen(fontFile *ff, const char *filename) { int n = strlen(filename); - if (strcmp(filename + n - 4, ".bz2") == 0) { + if (n > 4 && strcmp(filename + n - 4, ".bz2") == 0) { ff->type = bz2FontFile; ff->f.bz2 = BZ2_bzopen(filename, "rb"); ff->pos = 0; |