From 7365ad7a33f1262912f1b7360e20fa9eb45cd4db Mon Sep 17 00:00:00 2001 From: Nathan Crandall Date: Sun, 25 Nov 2018 13:32:02 -0800 Subject: [PATCH] libXfont: Fix ASAN errors in FontFileMakeDir() FontFileMakeDir() will automatically read one byte before the dirName buffer if an empty string is passed in, which one of its callers automatically does. Add a check to make sure we don't subtrct one from the array index unless it is non-zero. In addition, on WIN32 platforms, we will read past the buffer via an unchecked strchr() call. Add a check to ensure the pointer arithmetic does not reach beyond the buffer. --- src/fontfile/fontdir.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index 7271603..ab87068 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -105,28 +105,25 @@ FontDirectoryPtr FontFileMakeDir(const char *dirName, int size) { FontDirectoryPtr dir; - int dirlen; + int dirlen = (int)strlen(dirName); int needslash = 0; - const char *attrib; + const char *attrib = NULL; int attriblen; #if !defined(WIN32) attrib = strchr(dirName, ':'); #else /* OS/2 uses the colon in the drive letter descriptor, skip this */ - attrib = strchr(dirName+2, ':'); + if (dirlen > 2) + attrib = strchr(dirName+2, ':'); #endif if (attrib) { dirlen = attrib - dirName; attriblen = strlen(attrib); } else { - dirlen = strlen(dirName); attriblen = 0; } - if (dirName[dirlen - 1] != '/') -#ifdef NCD - if (dirlen) /* leave out slash for builtins */ -#endif + if (dirlen && dirName[dirlen - 1] != '/') needslash = 1; dir = malloc(sizeof *dir + dirlen + needslash + 1 + (attriblen ? attriblen + 1 : 0)); -- 2.17.1