From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Thu, 20 Jul 2017 13:38:53 +0200 Subject: Check for end of string in PatternMatch (CVE-2017-13720) If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Reviewed-by: Peter Hutterer Signed-off-by: Julien Cristau --- src/fontfile/fontdir.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index 4ce2473..996b7d1 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes) } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0'); -- cgit v1.2.3