emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#29523: closed (25.3; buffer overflow in ns-font-na

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#29523: closed (25.3; buffer overflow in ns-font-name on mac)
Date: Sat, 02 Dec 2017 13:51:01 +0000 
Your message dated Sat, 2 Dec 2017 13:50:21 +0000
with message-id <address@hidden>
and subject line Re: bug#29523: 25.3; buffer overflow in ns-font-name on mac
has caused the debbugs.gnu.org bug report #29523,
regarding 25.3; buffer overflow in ns-font-name on mac
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
29523: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=29523
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: 25.3; buffer overflow in ns-font-name on mac Date: Fri, 01 Dec 2017 23:53:34 +0900 (JST) 
After I evaluate this code on mac Emacs:

(let ((font-name "") (i 0))
  (while (< i 100)
    (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
    (setq i (1+ i)))
  (setq font-name (concat "-*-" font-name "-"))
  (ns-font-name font-name)
  )

then, Emacs crashes.

The bug is in ns_xlfd_to_fontname() in nsterm.m:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
  else
    sscanf (xlfd, "-%*[^-]-%[^-]179-", name);

The positions of "179" are incorrect. They should be:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
  else
    sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks.


In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version 
10.12.6 (Build 16G1036))
 of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
 'configure --without-x --with-ns --with-modules
 PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'

Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES

Important settings:
  value of $LANG: ja_JP.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)

Memory information:
((conses 16 220523 8595)
 (symbols 48 21882 0)
 (miscs 40 81 191)
 (strings 32 23156 7162)
 (string-bytes 1 718249)
 (vectors 16 44445)
 (vector-slots 8 816828 4794)
 (floats 8 194 21)
 (intervals 56 193 0)
 (buffers 976 18))

-- 
Yuuki Harano

--- End Message ---
--- Begin Message --- Subject: Re: bug#29523: 25.3; buffer overflow in ns-font-name on mac Date: Sat, 2 Dec 2017 13:50:21 +0000 User-agent: Mutt/1.9.1 (2017-09-22) 
On Sat, Dec 02, 2017 at 10:10:09AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 1 Dec 2017 19:43:08 +0000
> > From: Alan Third <address@hidden>
> > Cc: address@hidden
> > 
> > > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > > 
> > >   if (!strncmp (xlfd, "--", 2))
> > >     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > >   else
> > >     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > > 
> > > The positions of "179" are incorrect. They should be:
> > > 
> > >   if (!strncmp (xlfd, "--", 2))
> > >     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > >   else
> > >     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> > 
> > Thanks for the fix. I expect this is copyright exempt
> 
> It is.

Thanks for the confirmation. I’ve pushed to emacs-26.
-- 
Alan Third

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]