From efb287223612e9225e5089bed76e348c236b15f0 Mon Sep 17 00:00:00 2001
From: Peter Harris <pharris@opentext.com>
Date: Thu, 25 Mar 2021 15:56:31 -0400
Subject: Fix buffer overrun in FontFileMakeDir on WIN32

When dirName is "" (eg. when called by BuiltinReadDirectory),
FontFileMakeDir would read after the string when WIN32 is defined.

Fix the overrun issue by checking the location of the found :
before adding two.

Signed-off-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/fontfile/fontdir.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index c63a245..a9bf667 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -112,11 +112,12 @@ FontFileMakeDir(const char *dirName, int size)
     const char		*attrib;
     int			attriblen;
 
-#if !defined(WIN32)
     attrib = strchr(dirName, ':');
-#else
-    /* WIN32 uses the colon in the drive letter descriptor, skip this */
-    attrib = strchr(dirName+2, ':');
+#if defined(WIN32)
+    if (attrib && attrib - dirName == 1) {
+	/* WIN32 uses the colon in the drive letter descriptor, skip this */
+	attrib = strchr(dirName + 2, ':');
+    }
 #endif
     if (attrib) {
 	dirlen = attrib - dirName;
-- 
cgit v1.2.3