From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Alan Third <alan@idiocy.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Date: Fri, 1 Dec 2017 19:43:08 +0000
Message-ID: <20171201194308.GA44478@breton.holly.idiocy.org>
References: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: blaine.gmane.org 1512161045 8827 195.159.176.226 (1 Dec 2017 20:44:05 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 1 Dec 2017 20:44:05 +0000 (UTC)
User-Agent: Mutt/1.9.1 (2017-09-22)
Cc: 29523@debbugs.gnu.org
To: Yuuki Harano <masm-emacs@masm11.ddo.jp>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Dec 01 21:44:02 2017
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1eKsA8-0001jb-C4
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 01 Dec 2017 21:43:56 +0100
Original-Received: from localhost ([::1]:60939 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1eKsAF-0006pJ-Md
	for geb-bug-gnu-emacs@m.gmane.org; Fri, 01 Dec 2017 15:44:03 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52101)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eKrEG-0008BU-DD
	for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 14:44:09 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eKrEB-0004hO-ML
	for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 14:44:08 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:60070)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eKrEB-0004hB-FI
	for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 14:44:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eKrEA-0002y8-P8
	for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 14:44:03 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Alan Third <alan@idiocy.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 01 Dec 2017 19:44:02 +0000
Resent-Message-ID: <handler.29523.B29523.151215740011331@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 29523
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 29523-submit@debbugs.gnu.org id=B29523.151215740011331
	(code B ref 29523); Fri, 01 Dec 2017 19:44:02 +0000
Original-Received: (at 29523) by debbugs.gnu.org; 1 Dec 2017 19:43:20 +0000
Original-Received: from localhost ([127.0.0.1]:40514 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eKrDU-0002wh-BG
	for submit@debbugs.gnu.org; Fri, 01 Dec 2017 14:43:20 -0500
Original-Received: from mail-wr0-f172.google.com ([209.85.128.172]:33081)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <athird@googlemail.com>) id 1eKrDS-0002wU-Gd
	for 29523@debbugs.gnu.org; Fri, 01 Dec 2017 14:43:18 -0500
Original-Received: by mail-wr0-f172.google.com with SMTP id v22so11248949wrb.0
	for <29523@debbugs.gnu.org>; Fri, 01 Dec 2017 11:43:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20161025;
	h=sender:date:from:to:cc:subject:message-id:references:mime-version
	:content-disposition:content-transfer-encoding:in-reply-to
	:user-agent; bh=7Zh5WIM8Om8hdko+fPhx9bxbUIb2RL1NWxzGDa4tARo=;
	b=qfEHKQE3So7JO9n/mrlmKpWjG2DD32I5yGcETKrDokblxnBY/B9az5ks/GSmOGTVwI
	cfPj00spm0YTAcrCOanWUesXrNxjtuDkjsLhak1dbwEQ0fqqD/TY6buoGl/YH+tVk+n8
	q18BGNSMYaVenNLc4bvLGjsGlgPEaTxUJzIi791gd2F8lOwcdF1l+XtSH+5FMSMf2HMh
	2foy5jxQi5A6FLcjVr/5MDKTxJzMSRN0aW+KQfLVP0S/AciNktxPo5FBWI76N/vQ4evV
	4G5dIrdlO9KAMGfRstkH4wvL/kAjVcpYkfaDBd0k66GmuWQlaBizmcrKw+QrWCQuG5R4
	MBZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
	:references:mime-version:content-disposition
	:content-transfer-encoding:in-reply-to:user-agent;
	bh=7Zh5WIM8Om8hdko+fPhx9bxbUIb2RL1NWxzGDa4tARo=;
	b=s8D1iyOI8GgzLRPsW9gTwfH7b4iUBcCuaMtgQSr5IM8EALbfrCfIiGjA/Y3AuxccQj
	GU4KZwm1FZut5wOo8ubo0dut0ZSs5nfpoSX/fGBAM7Ucy1pxhkXVE93kdC6THYU5LKbu
	HAQ0BDLdgX4tarFZbKlHIYJSdAMfkvtexONn4yNya5/X3aja6HDTSdajhUtcJ9r1c/Tx
	joSvRehMLZ5V0r1bBQu4AEN00zr+RV50BQtNUWuuYO3wsLHuLz/iey1y7Qw04Ovqs0rc
	xOn7ahtXQK2US27yjHXrygQWbHYPwGqunmsay4acIhltCE2YFrdoZl6ORHqf6/dtw3nN
	Wxiw==
X-Gm-Message-State: AJaThX7xXTSsAsWBx0fyjKtr4PZYOLxB+3sIlmPmh1UgN8WuwzAfHONJ
	b3amQV8P3pOs8+Ew7p19CNM=
X-Google-Smtp-Source: AGs4zMYd1RsAoflX9PMnPwbzzaCJIfRGCYEqrxmos/kXPQVyWs8/Q9+qB0zNc8hAV0iGI1hljS7zeA==
X-Received: by 10.223.188.141 with SMTP id g13mr6510744wrh.169.1512157391727; 
	Fri, 01 Dec 2017 11:43:11 -0800 (PST)
Original-Received: from breton.holly.idiocy.org
	(ip6-2001-08b0-03f8-8129-0103-f24d-4eeb-971e.holly.idiocy.org.
	[2001:8b0:3f8:8129:103:f24d:4eeb:971e])
	by smtp.gmail.com with ESMTPSA id 88sm32001wrf.20.2017.12.01.11.43.10
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 01 Dec 2017 11:43:10 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:140599
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/140599>

On Fri, Dec 01, 2017 at 11:53:34PM +0900, Yuuki Harano wrote:
> After I evaluate this code on mac Emacs:
> 
> (let ((font-name "") (i 0))
>   (while (< i 100)
>     (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
>     (setq i (1+ i)))
>   (setq font-name (concat "-*-" font-name "-"))
>   (ns-font-name font-name)
>   )
> 
> then, Emacs crashes.
> 
> The bug is in ns_xlfd_to_fontname() in nsterm.m:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> 
> The positions of "179" are incorrect. They should be:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks for the fix. I expect this is copyright exempt, so I’ll push
the fix to emacs-26 soon.
-- 
Alan Third