libdraw/font.c buffer overflow

Tue, 5 Apr 2016 04:43:47 EDT
ray@[REDACTED]

Hi all,

In plan9port this bug keeps crashing mc when I run lc in a directory with Chinese characters. This is a diff from OpenBSD but it should apply cleanly to the various plan9 sources.

The code is basically trying to do a realloc (I guess realloc wasn’t available back then?) but it copies too much from the original buffer.

Since realloc is available, just use it. If realloc isn’t available outside plan9port (I haven’t checked) the memmove line should be changed from:

memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);

to:

memmove(f->subf, of, f->nsubf*sizeof *subf);

I hope this is helpful.

Ray

Index: patches/patch-src_libdraw_font_c

RCS file: patches/patch-src_libdraw_font_c diff -N patches/patch-src_libdraw_font_c —– /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_libdraw_font_c 27 Mar 2016 04:18:54 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ +—– src/libdraw/font.c.orig Fri Jan 22 19:52:32 2016 ++++ src/libdraw/font.c Sun Mar 27 12:18:14 2016 +@@ -222,16 +222,14 @@ loadchar(Font f, Rune r, Cacheinfo c, int h, int nof + subf->age = 0; + }else{ / too recent; grow instead / + of = f->subf; +– f->subf = malloc((f->nsubf+DSUBF)sizeof subf); ++ f->subf = realloc(of, (f->nsubf+DSUBF)sizeof subf); + if(f->subf == nil){ + f->subf = of; + goto Toss; + } +– memmove(f->subf, of, (f->nsubf+DSUBF)sizeof subf); + memset(f->subf+f->nsubf, 0, DSUBFsizeof subf); + subf = &f->subf[f->nsubf]; + f->nsubf += DSUBF; +– free(of); + } + } + subf->age = 0;


Tue, 5 Apr 2016 14:10:20 EDT sl

fixed with changeset 5212:41108bb50b37