summary refs log tree commit diff
path: root/gnu/packages/patches/libxfont-CVE-2017-13720.patch
blob: 0936171060f84874313bcdd8c982565ee24f5a17 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Fix CVE-2017-13720.

Copied from upstream source repository:
<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>


From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Thu, 20 Jul 2017 13:38:53 +0200
Subject: Check for end of string in PatternMatch (CVE-2017-13720)

If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.

Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index 4ce2473..996b7d1 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
 		}
 	    }
 	case '?':
-	    if (*string++ == XK_minus)
+	    if ((t = *string++) == XK_minus)
 		stringdashes--;
+	    if (!t)
+		return 0;
 	    break;
 	case '\0':
 	    return (*string == '\0');
-- 
cgit v0.10.2