bug#29523: 25.3; buffer overflow in ns-font-name on mac

bug#29523: 25.3; buffer overflow in ns-font-name on mac

[Yuuki Harano]

After I evaluate this code on mac Emacs:

(let ((font-name "") (i 0))
  (while (< i 100)
    (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
    (setq i (1+ i)))
  (setq font-name (concat "-*-" font-name "-"))
  (ns-font-name font-name)
  )

then, Emacs crashes.

The bug is in ns_xlfd_to_fontname() in nsterm.m:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
  else
    sscanf (xlfd, "-%*[^-]-%[^-]179-", name);

The positions of "179" are incorrect. They should be:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
  else
    sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks.


In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version 10.12.6 (Build 16G1036))
 of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
 'configure --without-x --with-ns --with-modules
 PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'

Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES

Important settings:
  value of $LANG: ja_JP.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)

Memory information:
((conses 16 220523 8595)
 (symbols 48 21882 0)
 (miscs 40 81 191)
 (strings 32 23156 7162)
 (string-bytes 1 718249)
 (vectors 16 44445)
 (vector-slots 8 816828 4794)
 (floats 8 194 21)
 (intervals 56 193 0)
 (buffers 976 18))

-- 
Yuuki Harano

bug#29523: 25.3; buffer overflow in ns-font-name on mac

[Alan Third]

On Fri, Dec 01, 2017 at 11:53:34PM +0900, Yuuki Harano wrote:
> After I evaluate this code on mac Emacs:
> 
> (let ((font-name "") (i 0))
>   (while (< i 100)
>     (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
>     (setq i (1+ i)))
>   (setq font-name (concat "-*-" font-name "-"))
>   (ns-font-name font-name)
>   )
> 
> then, Emacs crashes.
> 
> The bug is in ns_xlfd_to_fontname() in nsterm.m:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> 
> The positions of "179" are incorrect. They should be:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks for the fix. I expect this is copyright exempt, so I’ll push
the fix to emacs-26 soon.
-- 
Alan Third

bug#29523: 25.3; buffer overflow in ns-font-name on mac

[Eli Zaretskii]

> Date: Fri, 1 Dec 2017 19:43:08 +0000
> From: Alan Third <alan@idiocy.org>
> Cc: 29523@debbugs.gnu.org
> 
> > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > 
> >   if (!strncmp (xlfd, "--", 2))
> >     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> >   else
> >     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > 
> > The positions of "179" are incorrect. They should be:
> > 
> >   if (!strncmp (xlfd, "--", 2))
> >     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> >   else
> >     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> 
> Thanks for the fix. I expect this is copyright exempt

It is.

Thanks.

bug#29523: 25.3; buffer overflow in ns-font-name on mac

[Alan Third]

On Sat, Dec 02, 2017 at 10:10:09AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 1 Dec 2017 19:43:08 +0000
> > From: Alan Third <alan@idiocy.org>
> > Cc: 29523@debbugs.gnu.org
> > 
> > > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > > 
> > >   if (!strncmp (xlfd, "--", 2))
> > >     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > >   else
> > >     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > > 
> > > The positions of "179" are incorrect. They should be:
> > > 
> > >   if (!strncmp (xlfd, "--", 2))
> > >     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > >   else
> > >     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> > 
> > Thanks for the fix. I expect this is copyright exempt
> 
> It is.

Thanks for the confirmation. I’ve pushed to emacs-26.
-- 
Alan Third