summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMichal Srb <msrb@suse.com>2017-07-20 13:38:53 +0200
committerMatt Turner <mattst88@gmail.com>2017-10-19 13:42:46 -0700
commita2a5fa591762b430037e33f1df55b460550ab406 (patch)
tree169fc0a39578b42352824ddf19571bf0541c3e87 /src
parent8cce9834b2e74dccad94ca0adf79ae5585e37d48 (diff)
Check for end of string in PatternMatch (CVE-2017-13720)
If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608)
Diffstat (limited to 'src')
-rw-r--r--src/fontfile/fontdir.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index 7271603..511c96f 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -399,8 +399,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
}
}
case '?':
- if (*string++ == XK_minus)
+ if ((t = *string++) == XK_minus)
stringdashes--;
+ if (!t)
+ return 0;
break;
case '\0':
return (*string == '\0');