From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Date: Sat, 09 Oct 2021 21:35:22 +0200 Message-ID: References: <83bl3yya46.fsf@gnu.org> <83v926whih.fsf@gnu.org> Reply-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30387"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin) Cc: 51105@debbugs.gnu.org, Eli Zaretskii To: Alan Third Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 09 21:36:17 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mZI8l-0007fR-Cf for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 21:36:15 +0200 Original-Received: from localhost ([::1]:45728 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZI8k-0004GZ-7H for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 15:36:14 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57164) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZI8Z-0004G8-0f for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:36:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:42604) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZI8Y-0002K3-E6 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:36:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mZI8Y-0000AS-93 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:36:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 19:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs Original-Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.1633808138609 (code B ref 51105); Sat, 09 Oct 2021 19:36:02 +0000 Original-Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 19:35:38 +0000 Original-Received: from localhost ([127.0.0.1]:54150 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZI8A-00009l-9c for submit@debbugs.gnu.org; Sat, 09 Oct 2021 15:35:38 -0400 Original-Received: from sonic314-20.consmr.mail.ir2.yahoo.com ([77.238.177.146]:39046) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZI85-00009V-VY for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 15:35:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633808128; bh=B633MqT/8968BLrOjq37iCz9d5Y3zJahHivgRdTOdaQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=c5S6pijiOqnjWD1u2saCZdT/JIlw5zen6fKHcmvpB/73X6KnybfyvGoROgnTFAkBcFJMVVQ/EOfxwvb8UQt5Lhw0omze4Nob/8Klnrysj1R4PX3wC8JkUy1QANXPx9TY32RUqNIKVKEh/xSX1ZzTFkv+qltXXR/nLm4WyycJOsusn8N1QVkQ7NIVL30NzN5rsY6+Ea1R5kbTcgwbZr/xCcYpMR1KHAnwH9nrvKAN5ZX4Wmk/D2ockXXlCtRSwY78zI00kEotci1egiwx8m8Mb5VAD8ked6nHhFBNkJ14esGNTIH06N39FWgfexxgW9ddX1mmZu1AWoL0C81PjGJ0vA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633808128; bh=m0NSrUOGnsi24lQA4D+g1mZileZUnf8lAWalwfMVS/E=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RuzGO74SK2eYo9X9MeQUnqxMgwBLTDEyN/01+iq9vW4xCO3eYgn/NwlS48zpj0GPDY9varltV8aMhjmjS/G2Topf8d34V07MJ5X0AW9U0+DrqWdef6cTde49PJer4+jLwFV113nsQvAEISnCC0pRrzbvi3g3JEjTH8YARasVwKWGJd7nbbtVcj+Yut4nYOcZuqyhiSjaKHh4X4nLj/CSlsBxuU0NE3ohL1WWXnA7LAIPWOomfZC2pHGROyT2rnnp4AuTSxefENiBCoc6g4XLJUWUSvDXcA4nmJjadkALu9gD9YSHO5/RzyXJE/7h1RHXDuA2p+1XaHR0xmqyTTAdGA== X-YMail-OSG: GFLsVwAVM1l0DYSFOiJoPYzAttUv1A5UmoXb3H1GtMTD.q7i7IpBAM0qas7O_2R llbY2PzZUpWl2cYAqe1DxdneicWP_BLtfClTJHkq42TLA4mDjUUQ90LnUSc_WxYVK12CsMNbVu.4 HoYFK1OrnxB097eM3WwL9zbq0eDDkc6Fxeo1g7glQAWchaDJRcyQWAAzYRpy9ZHm6_dea4oj4TS4 saQtJ4bU1oGssj0d7vBEl4bfqdAmjxcFRKFCEgrJN3_mk0hldA9SJnv_euHzjBYcfoaPse6S.lug WyMxGqTZeANnjdp26UTIYkPUpDbOQ1K1DlWGQbi89a8_6CvjhczKNKi5.RfVPGWQL6Dm3GpLd4We uUDGzWF5AtO9kdqALlwMiaesQKAjw4IHl9_AZQbTu8gH2wjKJ8bXX0wcHBjrzs4lCYfbVo8DBxlQ akotZRRuxqiLZvQJTs.U_PGyjkzGbuRd4zKe_x3jEg7mOsrD8MwlJvMfkOpSQZ1.PqARX7oCAg2N hlVdDh6NT3.thr_I8Apmf3L2R4UNXWH_LnMEk4rTklO.j4fWwJOmjpTngdIZ4utuZVJ5m9qPsrI. iQ98ZRIZIqKmtgnFJysbCbI7UiYJ3QhwsfR4B4DDLMbsu03u_La5BaURDiy0SNda15ttL6wCF87i _VBC2.mGMqfgEOQXuq3uq1.db3cGFRXyGGoHktd55IYmndERnBsUxUi9acsXrj51vsJ2.y1ZMAVm wXlh9IJGJ868GPBokzgzeV3GhNxjen6l2H4m5qBDfz_ZJf1f_Lab6uRcNugLdaj50lv_0PWTwOUi MSfs7gyplnV1lM2C3EHbFVWJPaX4yoc7PAwDMSU3cN X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:35:28 +0000 Original-Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID c005fc59c7ded80b59c22b633a87c38d; Sat, 09 Oct 2021 19:35:23 +0000 (UTC) In-Reply-To: (Alan Third's message of "Sat, 9 Oct 2021 14:57:40 +0100") X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:216791 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Alan Third writes: > On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote: >> > From: Daniel Mart=C3=ADn >> > Cc: 51105@debbugs.gnu.org >> > Date: Sat, 09 Oct 2021 12:06:36 +0200 >> >=20 >> > Now I think that the right thing to do may be to modify nsterm.m, swit= ch >> > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call >> > composition_gstring_width to get the glyph metrics. Function >> > composition_gstring_width uses the values from fields s->cmp_from and >> > s->cmp_to, and would avoid the buffer overflow: >> >=20 >> > (lldb) fr v s->cmp_from >> > (int) s->cmp_from =3D 6 >> > (lldb) fr v s->cmp_to >> > (int) s->cmp_to =3D 7 >> >=20 >> > WDYT? I can prepare a patch of this type if you agree. >>=20 >> SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I >> know enough about the NS display backend. > > I don't know much about this part of the code, but it sounds good to > me too. A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8= =B9=D8=B1=D8=A8=D9=8A=D8=A9" in the *scratch* buffer. I've attached a patch that fixes the issue. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch >From 23897a25d7ddebc06ab855058d36a5e291e5cba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= Date: Sat, 9 Oct 2021 21:10:20 +0200 Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs * src/nsterm.m (ns_compute_glyph_string_overhangs): When the first glyph of a glyph string is a composite glyph, `s->nchars' is 0, so "s->char2b + s->nchars - 1" dereferenced a position before buffer `s->char2b'. Instead, rewrite part of the function to distinguish between character glyphs and composite glyphs. For character glyphs, calculate the font metrics using the `text_extents' function, passing it the entire glyph string; for composite glyphs, call `composition_gstring_width'. (Bug#51105) --- src/nsterm.m | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/nsterm.m b/src/nsterm.m index a6c2e7505b..e616766ec7 100644 --- a/src/nsterm.m +++ b/src/nsterm.m @@ -2848,20 +2848,27 @@ Hide the window (X11 semantics) External (RIF); compute left/right overhang of whole string and set in s -------------------------------------------------------------------------- */ { - struct font *font = s->font; - if (s->char2b) { struct font_metrics metrics; - unsigned int codes[2]; - codes[0] = *(s->char2b); - codes[1] = *(s->char2b + s->nchars - 1); - - font->driver->text_extents (font, codes, 2, &metrics); - s->left_overhang = -metrics.lbearing; - s->right_overhang - = metrics.rbearing > metrics.width - ? metrics.rbearing - metrics.width : 0; + if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p) + { + struct font *font = s->font; + font->driver->text_extents (font, s->char2b, s->nchars, &metrics); + s->left_overhang = -metrics.lbearing; + s->right_overhang + = metrics.rbearing > metrics.width + ? metrics.rbearing - metrics.width : 0; + } + else if (s->first_glyph->type == COMPOSITE_GLYPH) + { + Lisp_Object gstring = composition_gstring_from_id (s->cmp_id); + + composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics); + s->right_overhang = (metrics.rbearing > metrics.width + ? metrics.rbearing - metrics.width : 0); + s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0; + } } else { -- 2.31.0 --=-=-= Content-Type: text/plain Let me know if you like it and please install it on my behalf if so. Thanks. --=-=-=--