From daff8876379c64c7bee126319af804896f83b5da Mon Sep 17 00:00:00 2001 From: Alex Richardson Date: Wed, 14 Jul 2021 17:23:48 +0100 Subject: Fix out-of-bounds read in FontFileMakeDir() BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and this causes the `dirName[dirlen - 1]` access to read before the start of the string. I found this while porting Xvnc to CHERI-RISC-V (which has bounds and permissions on all pointers). --- src/fontfile/fontdir.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index f4edc01..c8a6a0e 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -125,10 +125,7 @@ FontFileMakeDir(const char *dirName, int size) dirlen = strlen(dirName); attriblen = 0; } - if (dirName[dirlen - 1] != '/') -#ifdef NCD - if (dirlen) /* leave out slash for builtins */ -#endif + if (dirlen && dirName[dirlen - 1] != '/') needslash = 1; dir = malloc(sizeof *dir + dirlen + needslash + 1 + (attriblen ? attriblen + 1 : 0)); -- cgit v1.2.3