all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
blob 0936171060f84874313bcdd8c982565ee24f5a17 1091 bytes (raw)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

 
Fix CVE-2017-13720.

Copied from upstream source repository:
<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>


From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Thu, 20 Jul 2017 13:38:53 +0200
Subject: Check for end of string in PatternMatch (CVE-2017-13720)

If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.

Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index 4ce2473..996b7d1 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
 		}
 	    }
 	case '?':
-	    if (*string++ == XK_minus)
+	    if ((t = *string++) == XK_minus)
 		stringdashes--;
+	    if (!t)
+		return 0;
 	    break;
 	case '\0':
 	    return (*string == '\0');
-- 
cgit v0.10.2


debug log:

solving 093617106 ...
found 093617106 in https://git.savannah.gnu.org/cgit/guix.git

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.