From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#51105: 29.0.50;
 Buffer overflow bug in ns_compute_glyph_string_overhangs
Date: Sat, 09 Oct 2021 21:41:57 +0200
Message-ID: <m1o87yq92y.fsf@yahoo.es>
References: <m17den59au.fsf.ref@yahoo.es> <m17den59au.fsf@yahoo.es>
 <83bl3yya46.fsf@gnu.org> <m1r1cu4imr.fsf@yahoo.es>
 <83v926whih.fsf@gnu.org> <YWGf1Bc+wFI3cixx@idiocy.org>
 <m1a6jirnyd.fsf@yahoo.es>
Reply-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@yahoo.es>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="20042"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
Cc: alan@idiocy.org, eliz@gnu.org
To: 51105@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 09 21:43:11 2021
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mZIFS-0004z3-48
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 21:43:10 +0200
Original-Received: from localhost ([::1]:47298 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mZIFQ-0005bb-Us
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 09 Oct 2021 15:43:08 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58440)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mZIFL-0005bK-2X
 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:43:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:42621)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mZIFK-0001MI-Ml
 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:43:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1mZIFK-0000LU-Ez
 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:43:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= <mardani29@yahoo.es>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 09 Oct 2021 19:43:02 +0000
Resent-Message-ID: <handler.51105.B.16338085311266@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 51105
X-GNU-PR-Package: emacs
X-Debbugs-Original-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU
 Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
X-Debbugs-Original-Cc: 51105@debbugs.gnu.org, Alan Third <alan@idiocy.org>,
 Eli Zaretskii <eliz@gnu.org>
Original-Received: via spool by submit@debbugs.gnu.org id=B.16338085311266
 (code B ref -1); Sat, 09 Oct 2021 19:43:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 19:42:11 +0000
Original-Received: from localhost ([127.0.0.1]:54167 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1mZIEU-0000KF-NX
 for submit@debbugs.gnu.org; Sat, 09 Oct 2021 15:42:11 -0400
Original-Received: from lists.gnu.org ([209.51.188.17]:50702)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mardani29@yahoo.es>) id 1mZIEQ-0000Jy-B6
 for submit@debbugs.gnu.org; Sat, 09 Oct 2021 15:42:09 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58364)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mardani29@yahoo.es>)
 id 1mZIEP-0005Zd-CT
 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:42:06 -0400
Original-Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:40389)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <mardani29@yahoo.es>)
 id 1mZIEN-0001Iw-LP
 for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:42:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048;
 t=1633808520; bh=mezjEi0afG9ZiSQCT0OnaZHP+WCx7HUW+DkylDmTZTo=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To;
 b=L6FuRCiLqavcbYOuU48bPa2xI4BUMavz9XZRXuNcX81W7pyqCYbwb7uojTiUeren3rg8mJnEGrygFiPWrYQLVe42bBhuppRgvvLk1btTXUow5UKnhu4nGLwnwP/5eRU7ZtuoKY46BnLyCYmvHjHuz0Kou0Z8DXrBPt/U9ilaD9Rg5VFVXqaWeURs/1yu14h2wfImXoKQJBdQ3kXfb4BO62h0YrtCOVQONzyRLTSO8b01ZrT+6xfWBpjKk5gp0JpL1M9iHMi3mIBg3XFVQOnmBFd7UyYw/LZOaSQq6754uvMMMN1yfao666IZf96sg5Q4z33cZYbbV3gvE7TCgKRWKg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; 
 t=1633808520;
 bh=ed4ZOroqiGuGfZhzENx38+9ISvQLofAjoRmf+wMwS6K=; 
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XRX5ygT3mGQcHXhCqEAqLWDxlguztggl6QSoBNYWM/VP3WactZjdrYXRKgUQJwj3mwgX/XRSVj5H66DrvtsjuklIZVmEzEm6ONc+FpGlFvxeIiQw9b15mI/oYYBQKSkZzPeGRPv4JuC/wn0eo1B5hb0OPInP4MZSkTcNYRwdYeIHu/pz6McFO2ps5CfjabTHRe0SX97b+Q4g8xVMFRtoa4JBlLyxUFDis8Q5JRAW7sHERW7m9vksz5P5p/KePDeYXr9xCbY9jqr8oPy46u7wBnDSIO8cOeorj6HZumlWt0Cc5gjuSSUSLnAIjEea1orl9qFgG5gWBxSkcXighOUhdQ==
X-YMail-OSG: F3RXCQcVM1n_hkojpfDDzBJ5XDrlqe3WJSJ8ym8cOLN8O6HCZY8XR4TkNE1JpwO
 8mmetAi_RFwN6_41bC78ocJBZud6Z2hvNjQik.l.8SWLHoRafksGFJCaCkN3RGMVfK9uNf_hJc6t
 JPUsh8ItV.4xsMw5sqJVuSxlbHKdDfROfq9s_fW6JiW6iFFc5KCzb4v9N191OJVyjIyl3Rj2zpjP
 QouhHc5Jnbkjcr4xj1v2bjnvizW8mngKDLvsO39WJQchkHP_onK2SmMFF12AiAe3iZHjXsSp2iAR
 jBlFwMKoB4QKkpJVv_bPKAIrbPllhfoz7PZG_D9okzqAOwViMgzODg8G6o5PTppL6Q5eAorOHumN
 i8Fa6jJqCnLvxYRQMAoOd4o4m0u.2Nvw_JQPhDGu7h6xfSO4q53WPNYhZw1rHV3qp7rwzMWl1EjW
 9BvqH3uwQoO4XRp7Zf.NgzD6flUJTTlvMDen_0hPrufk2m_i_gqrW7ji0CUH9_PTae.26AGACXv8
 xW5ALl7tRUi6LmSmTRLn6lyaAku2ULKxErgz9HHwXDGFDqsHllnfQQydnePS94jWMoEKtpJ6.ziH
 EhVso_FV2NH4kriyTMe90_IWRwePnM1HNadlKf_CwjdXRIuFxHJOqWwhL6NTQ.xbydEyE7kcelQl
 VanwfxTTmc6B8iAWqmivacykRVuBC3yyHuznqN8ziHDnLSb8VNrMkz3QVyqjnadeTqtSOlwQLZlV
 uWp_NePacXTg6L3mRjMwEWmdiR8HzDzB5AeGZKqdAFMAxi.0SHXYOFCVD73XcIwsdZbX2rSrK6b0
 AcTe4HfFhn_r7uYXAnX_n4G2y7vX_0CLudm2HIZngV 
X-Sonic-MF: <mardani29@yahoo.es>
Original-Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:42:00 +0000
Original-Received: by kubenode534.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 8407a3ebbcb93664e4a88831d1761cc0; 
 Sat, 09 Oct 2021 19:41:58 +0000 (UTC)
In-Reply-To: <m1a6jirnyd.fsf@yahoo.es> ("Daniel =?UTF-8?Q?Mart=C3=ADn?= via
 \"Bug reports for
 GNU Emacs, the Swiss army knife of text editors\""'s message of "Sat,
 09 Oct 2021 21:35:22 +0200")
X-Mailer: WebService/1.1.19116
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@yahoo.es; 
 helo=sonic313-21.consmr.mail.ir2.yahoo.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:216792
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/216792>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, the Swiss army knife of
text editors" <bug-gnu-emacs@gnu.org> writes:

>
> A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8=
=B9=D8=B1=D8=A8=D9=8A=D8=A9" in the
> *scratch* buffer.
>
> I've attached a patch that fixes the issue.
>
>
>
> Let me know if you like it and please install it on my behalf if so.
> Thanks.

Sorry, there was an indentation problem in the previous patch.  Here's
an updated one.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch

>From 1f64cf0bb78b77570d60f70c2e2342c2293a5ffb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= <mardani29@yahoo.es>
Date: Sat, 9 Oct 2021 21:10:20 +0200
Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs

* src/nsterm.m (ns_compute_glyph_string_overhangs): When the first
glyph of a glyph string is a composite glyph, `s->nchars' is 0, so
"s->char2b + s->nchars - 1" dereferenced a position before buffer
`s->char2b'.  Instead, rewrite part of the function to distinguish
between character glyphs and composite glyphs.  For character glyphs,
calculate the font metrics using the `text_extents' function, passing
it the entire glyph string; for composite glyphs, call
`composition_gstring_width'. (Bug#51105)
---
 src/nsterm.m | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/nsterm.m b/src/nsterm.m
index a6c2e7505b..e8e08640c6 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -2848,20 +2848,27 @@ Hide the window (X11 semantics)
      External (RIF); compute left/right overhang of whole string and set in s
    -------------------------------------------------------------------------- */
 {
-  struct font *font = s->font;
-
   if (s->char2b)
     {
       struct font_metrics metrics;
-      unsigned int codes[2];
-      codes[0] = *(s->char2b);
-      codes[1] = *(s->char2b + s->nchars - 1);
-
-      font->driver->text_extents (font, codes, 2, &metrics);
-      s->left_overhang = -metrics.lbearing;
-      s->right_overhang
-	= metrics.rbearing > metrics.width
-	? metrics.rbearing - metrics.width : 0;
+      if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p)
+        {
+          struct font *font = s->font;
+          font->driver->text_extents (font, s->char2b, s->nchars, &metrics);
+          s->left_overhang = -metrics.lbearing;
+          s->right_overhang
+            = metrics.rbearing > metrics.width
+            ? metrics.rbearing - metrics.width : 0;
+        }
+      else if (s->first_glyph->type == COMPOSITE_GLYPH)
+        {
+          Lisp_Object gstring = composition_gstring_from_id (s->cmp_id);
+
+          composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics);
+          s->right_overhang = (metrics.rbearing > metrics.width
+                               ? metrics.rbearing - metrics.width : 0);
+          s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0;
+        }
     }
   else
     {
-- 
2.31.0


--=-=-=--