* bug#29523: 25.3; buffer overflow in ns-font-name on mac
@ 2017-12-01 14:53 Yuuki Harano
2017-12-01 19:43 ` Alan Third
0 siblings, 1 reply; 4+ messages in thread
From: Yuuki Harano @ 2017-12-01 14:53 UTC (permalink / raw)
To: 29523
After I evaluate this code on mac Emacs:
(let ((font-name "") (i 0))
(while (< i 100)
(setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
(setq i (1+ i)))
(setq font-name (concat "-*-" font-name "-"))
(ns-font-name font-name)
)
then, Emacs crashes.
The bug is in ns_xlfd_to_fontname() in nsterm.m:
if (!strncmp (xlfd, "--", 2))
sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
else
sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
The positions of "179" are incorrect. They should be:
if (!strncmp (xlfd, "--", 2))
sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
else
sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
Thanks.
In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version 10.12.6 (Build 16G1036))
of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
'configure --without-x --with-ns --with-modules
PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'
Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES
Important settings:
value of $LANG: ja_JP.UTF-8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
buffer-read-only: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)
Memory information:
((conses 16 220523 8595)
(symbols 48 21882 0)
(miscs 40 81 191)
(strings 32 23156 7162)
(string-bytes 1 718249)
(vectors 16 44445)
(vector-slots 8 816828 4794)
(floats 8 194 21)
(intervals 56 193 0)
(buffers 976 18))
--
Yuuki Harano
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#29523: 25.3; buffer overflow in ns-font-name on mac
2017-12-01 14:53 bug#29523: 25.3; buffer overflow in ns-font-name on mac Yuuki Harano
@ 2017-12-01 19:43 ` Alan Third
2017-12-02 8:10 ` Eli Zaretskii
0 siblings, 1 reply; 4+ messages in thread
From: Alan Third @ 2017-12-01 19:43 UTC (permalink / raw)
To: Yuuki Harano; +Cc: 29523
On Fri, Dec 01, 2017 at 11:53:34PM +0900, Yuuki Harano wrote:
> After I evaluate this code on mac Emacs:
>
> (let ((font-name "") (i 0))
> (while (< i 100)
> (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
> (setq i (1+ i)))
> (setq font-name (concat "-*-" font-name "-"))
> (ns-font-name font-name)
> )
>
> then, Emacs crashes.
>
> The bug is in ns_xlfd_to_fontname() in nsterm.m:
>
> if (!strncmp (xlfd, "--", 2))
> sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> else
> sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
>
> The positions of "179" are incorrect. They should be:
>
> if (!strncmp (xlfd, "--", 2))
> sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> else
> sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
Thanks for the fix. I expect this is copyright exempt, so I’ll push
the fix to emacs-26 soon.
--
Alan Third
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#29523: 25.3; buffer overflow in ns-font-name on mac
2017-12-01 19:43 ` Alan Third
@ 2017-12-02 8:10 ` Eli Zaretskii
2017-12-02 13:50 ` Alan Third
0 siblings, 1 reply; 4+ messages in thread
From: Eli Zaretskii @ 2017-12-02 8:10 UTC (permalink / raw)
To: Alan Third; +Cc: 29523, masm-emacs
> Date: Fri, 1 Dec 2017 19:43:08 +0000
> From: Alan Third <alan@idiocy.org>
> Cc: 29523@debbugs.gnu.org
>
> > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> >
> > if (!strncmp (xlfd, "--", 2))
> > sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > else
> > sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> >
> > The positions of "179" are incorrect. They should be:
> >
> > if (!strncmp (xlfd, "--", 2))
> > sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > else
> > sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
>
> Thanks for the fix. I expect this is copyright exempt
It is.
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#29523: 25.3; buffer overflow in ns-font-name on mac
2017-12-02 8:10 ` Eli Zaretskii
@ 2017-12-02 13:50 ` Alan Third
0 siblings, 0 replies; 4+ messages in thread
From: Alan Third @ 2017-12-02 13:50 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 29523-done, masm-emacs
On Sat, Dec 02, 2017 at 10:10:09AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 1 Dec 2017 19:43:08 +0000
> > From: Alan Third <alan@idiocy.org>
> > Cc: 29523@debbugs.gnu.org
> >
> > > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > >
> > > if (!strncmp (xlfd, "--", 2))
> > > sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > > else
> > > sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > >
> > > The positions of "179" are incorrect. They should be:
> > >
> > > if (!strncmp (xlfd, "--", 2))
> > > sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > > else
> > > sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> >
> > Thanks for the fix. I expect this is copyright exempt
>
> It is.
Thanks for the confirmation. I’ve pushed to emacs-26.
--
Alan Third
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-02 13:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-01 14:53 bug#29523: 25.3; buffer overflow in ns-font-name on mac Yuuki Harano
2017-12-01 19:43 ` Alan Third
2017-12-02 8:10 ` Eli Zaretskii
2017-12-02 13:50 ` Alan Third
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.