[bug #55257] xtotroff.c: Defined size of the array "encoding" is too sho

bug-groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #55257] xtotroff.c: Defined size of the array "encoding" is too sho

From:	G. Branden Robinson
Subject:	[bug #55257] xtotroff.c: Defined size of the array "encoding" is too short
Date:	Tue, 1 Dec 2020 00:42:42 -0500 (EST)
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Update of bug #55257 (project groff):

                  Status:               Confirmed => In Progress            

    _______________________________________________________

Follow-up Comment #3:

I have a fix in preparation.  Should land with my next batch of commits.


diff --git a/ChangeLog b/ChangeLog
index b41d1198..c36954e5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2020-12-01  G. Branden Robinson <g.branden.robinson@gmail.com>
+
+       * src/utils/xtotroff/xtotroff.c (MapFont): Avoid writing past
+       the end of a static buffer.  Problem found and patch supplied by
+       Bjarni Ingi Gislason.  I tweaked it to comment it differently
+       {in case the buffer ever needs to grow, but the prospects of
+       future X11 server-side font rendering development seem dim} and
+       use snprintf() instead of retaining the existing sprinf().
+
 2020-12-01  G. Branden Robinson <g.branden.robinson@gmail.com>
 
        * src/utils/xtotroff/xtotroff.c (CanonicalizeFontName,
diff --git a/src/utils/xtotroff/xtotroff.c b/src/utils/xtotroff/xtotroff.c
index f6d316dc..cf7c41b8 100644
--- a/src/utils/xtotroff/xtotroff.c
+++ b/src/utils/xtotroff/xtotroff.c
@@ -130,7 +130,9 @@ static int MapFont(char *font_name, const char
*troff_name)
   XFontName parsed;
   int j, k;
   DviCharNameMap *char_map;
-  char encoding[256];
+  /* 'encoding' needs to hold a CharSetRegistry (256), a CharSetEncoding
+     (256) [both from XFontName.h], a dash, and a null terminator. */
+  char encoding[256 * 2 + 1 + 1];
   char *s;
   int wid;
   char name_string[2048];
@@ -161,7 +163,8 @@ static int MapFont(char *font_name, const char
*troff_name)
     return 0;
 
   XParseFontName(names[0], &parsed, &attributes);
-  sprintf(encoding, "%s-%s", parsed.CharSetRegistry,
+  size_t sz = sizeof encoding;
+  snprintf(encoding, sz, "%s-%s", parsed.CharSetRegistry,
          parsed.CharSetEncoding);
   for (s = encoding; *s; s++)
     if (isupper(*s))


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?55257>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #55257] xtotroff.c: Defined size of the array "encoding" is too short, G. Branden Robinson <=
- [bug #55257] xtotroff.c: Defined size of the array "encoding" is too short, G. Branden Robinson, 2020/12/05

Next by Date: [bug #42675] \} considered as macro argument regarding register .$
Next by thread: [bug #55257] xtotroff.c: Defined size of the array "encoding" is too short
Index(es):
- Date
- Thread