Fix out-of-bounds read in FontFileMakeDir()

BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and this causes the `dirName[dirlen - 1]` access to read before the start of the string. I found this while porting Xvnc to CHERI-RISC-V (which has bounds and permissions on all pointers).
author: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk> 2021-07-14 17:23:48 +0100
committer: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk> 2021-07-14 17:23:48 +0100
commit: daff8876379c64c7bee126319af804896f83b5da (patch)
tree: 2e0100dd43c2c91a74ebca15d3b64c1319473e1d
parent: ce7a3265019e4d66198c1581d9e8c859c34e8ef1 (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index f4edc01..c8a6a0e 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -125,10 +125,7 @@ FontFileMakeDir(const char *dirName, int size)
 	dirlen = strlen(dirName);
 	attriblen = 0;
     }
-    if (dirName[dirlen - 1] != '/')
-#ifdef NCD
-    if (dirlen)     /* leave out slash for builtins */
-#endif
+    if (dirlen && dirName[dirlen - 1] != '/')
 	needslash = 1;
     dir = malloc(sizeof *dir + dirlen + needslash + 1 +
 		 (attriblen ? attriblen + 1 : 0));
author	Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>	2021-07-14 17:23:48 +0100
committer	Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>	2021-07-14 17:23:48 +0100
commit	daff8876379c64c7bee126319af804896f83b5da (patch)
tree	2e0100dd43c2c91a74ebca15d3b64c1319473e1d
parent	ce7a3265019e4d66198c1581d9e8c859c34e8ef1 (diff)