[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[groff] 02/03: [libgroff]: Fix Savannah #61424.
|
From: |
G. Branden Robinson |
|
Subject: |
[groff] 02/03: [libgroff]: Fix Savannah #61424. |
|
Date: |
Sun, 7 Nov 2021 03:06:05 -0500 (EST) |
gbranden pushed a commit to branch master
in repository groff.
commit a891161bc94c7b6a6a3572cc82f31e5029078d7b
Author: G. Branden Robinson <g.branden.robinson@gmail.com>
AuthorDate: Sun Nov 7 10:31:02 2021 +1100
[libgroff]: Fix Savannah #61424.
* src/libs/libgroff/fontfile.cpp (font::open_file): Don't open
user-specified font file names with slashes in them; i.e., don't
traverse directories outside the configured font path. Also refuse to
open the file if the `sprintf()` used to construct its file name
doesn't write the expected quantity of bytes to the destination
buffer.
Fixes <https://savannah.gnu.org/bugs/?61424>. Thanks to Ingo Schwarze
for feedback.
---
ChangeLog | 12 ++++++++++++
src/libs/libgroff/fontfile.cpp | 13 ++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 5deca75..9758a40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2021-11-07 G. Branden Robinson <g.branden.robinson@gmail.com>
+ * src/libs/libgroff/fontfile.cpp (font::open_file): Don't open
+ user-specified font file names with slashes in them; i.e., don't
+ traverse directories outside the configured font path. Also
+ refuse to open the file if the `sprintf()` used to construct its
+ file name doesn't write the expected quantity of bytes to the
+ destination buffer.
+
+ Fixes <https://savannah.gnu.org/bugs/?61424>. Thanks to Ingo
+ Schwarze for feedback.
+
+2021-11-07 G. Branden Robinson <g.branden.robinson@gmail.com>
+
[libgroff]: Regression-test Savannah #61424.
* src/roff/groff/tests/fp_should_not_traverse_directories.sh: Do
diff --git a/src/libs/libgroff/fontfile.cpp b/src/libs/libgroff/fontfile.cpp
index 0ebe35c..a5b03b6 100644
--- a/src/libs/libgroff/fontfile.cpp
+++ b/src/libs/libgroff/fontfile.cpp
@@ -60,9 +60,16 @@ void font::command_line_font_dir(const char *dir)
FILE *font::open_file(const char *nm, char **pathp)
{
- char *filename = new char[strlen(nm) + strlen(device) + 5];
- sprintf(filename, "dev%s/%s", device, nm);
- FILE *fp = font_path.open_file(filename, pathp);
+ FILE *fp = 0;
+ int expected_size = strlen(nm) + strlen(device) + 5; // 'dev' '/' '\0'
+ char *filename = new char[expected_size];
+ // Do not traverse user-specified directories; Savannah #61424.
+ if (0 == strchr(nm, '/')) {
+ int actual_size = sprintf(filename, "dev%s/%s", device, nm);
+ expected_size--; // sprintf() doesn't count the null terminator.
+ if (actual_size == expected_size)
+ fp = font_path.open_file(filename, pathp);
+ }
delete[] filename;
return fp;
}
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [groff] 02/03: [libgroff]: Fix Savannah #61424.,
G. Branden Robinson <=