diff options
| author | Michal Srb <msrb@suse.com> | 2017-07-20 13:38:53 +0200 |
|---|---|---|
| committer | Matt Turner <mattst88@gmail.com> | 2017-10-19 13:42:46 -0700 |
| commit | a2a5fa591762b430037e33f1df55b460550ab406 (patch) | |
| tree | 169fc0a39578b42352824ddf19571bf0541c3e87 | |
| parent | 8cce9834b2e74dccad94ca0adf79ae5585e37d48 (diff) | |
Check for end of string in PatternMatch (CVE-2017-13720)
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608)
| -rw-r--r-- | src/fontfile/fontdir.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index 7271603..511c96f 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -399,8 +399,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes) } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0'); |