[bdf] Fix Savannah bug #41692. bdflib puts data from the input stream into a buffer in chunks of 1024 bytes. The data itself gets then parsed line by line, simply increasing the current pointer into the buffer; if the search for the final newline character exceeds the buffer size, more data gets read. However, in case the current line's end is very near to the buffer end, and the keyword to compare with is longer than the current line's length, an out-of-bounds read might happen since `memcmp' doesn't stop properly at the string end. * src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons stop at string ends.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234
diff --git a/ChangeLog b/ChangeLog
index 46a2766..b6a419d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,21 @@
+2014-02-26 Wermer Lemberg <wl@gnu.org>
+
+ [bdf] Fix Savannah bug #41692.
+
+ bdflib puts data from the input stream into a buffer in chunks of
+ 1024 bytes. The data itself gets then parsed line by line, simply
+ increasing the current pointer into the buffer; if the search for
+ the final newline character exceeds the buffer size, more data gets
+ read.
+
+ However, in case the current line's end is very near to the buffer
+ end, and the keyword to compare with is longer than the current
+ line's length, an out-of-bounds read might happen since `memcmp'
+ doesn't stop properly at the string end.
+
+ * src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons
+ stop at string ends.
+
2014-02-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[autofit] Fix `make multi' compilation.
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index c9e231e..b0ec292 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1409,7 +1409,7 @@
/* If the property happens to be a comment, then it doesn't need */
/* to be added to the internal hash table. */
- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 )
+ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
{
/* Add the property to the font property table. */
error = hash_insert( fp->name,
@@ -1427,13 +1427,13 @@
/* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
/* present, and the SPACING property should override the default */
/* spacing. */
- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
font->default_char = fp->value.l;
- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 )
+ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
font->font_ascent = fp->value.l;
- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 )
+ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
font->font_descent = fp->value.l;
- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 )
+ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
{
if ( !fp->value.atom )
{
@@ -1491,7 +1491,7 @@
memory = font->memory;
/* Check for a comment. */
- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
+ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
{
linelen -= 7;
@@ -1508,7 +1508,7 @@
/* The very first thing expected is the number of glyphs. */
if ( !( p->flags & _BDF_GLYPHS ) )
{
- if ( ft_memcmp( line, "CHARS", 5 ) != 0 )
+ if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
error = FT_THROW( Missing_Chars_Field );
@@ -1542,7 +1542,7 @@
}
/* Check for the ENDFONT field. */
- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 )
+ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
{
/* Sort the glyphs by encoding. */
ft_qsort( (char *)font->glyphs,
@@ -1556,7 +1556,7 @@
}
/* Check for the ENDCHAR field. */
- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 )
+ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
{
p->glyph_enc = 0;
p->flags &= ~_BDF_GLYPH_BITS;
@@ -1572,7 +1572,7 @@
goto Exit;
/* Check for the STARTCHAR field. */
- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 )
+ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
{
/* Set the character name in the parse info first until the */
/* encoding can be checked for an unencoded character. */
@@ -1606,7 +1606,7 @@
}
/* Check for the ENCODING field. */
- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 )
+ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
{
if ( !( p->flags & _BDF_GLYPH ) )
{
@@ -1792,7 +1792,7 @@
}
/* Expect the SWIDTH (scalable width) field next. */
- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
+ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1808,7 +1808,7 @@
}
/* Expect the DWIDTH (scalable width) field next. */
- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
+ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1836,7 +1836,7 @@
}
/* Expect the BBX field next. */
- if ( ft_memcmp( line, "BBX", 3 ) == 0 )
+ if ( ft_strncmp( line, "BBX", 3 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1904,7 +1904,7 @@
}
/* And finally, gather up the bitmap. */
- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
{
unsigned long bitmap_size;
@@ -1979,7 +1979,7 @@
p = (_bdf_parse_t *) client_data;
/* Check for the end of the properties. */
- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
{
/* If the FONT_ASCENT or FONT_DESCENT properties have not been */
/* encountered yet, then make sure they are added as properties and */
@@ -2020,12 +2020,12 @@
}
/* Ignore the _XFREE86_GLYPH_RANGES properties. */
- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
goto Exit;
/* Handle COMMENT fields and properties in a special way to preserve */
/* the spacing. */
- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
+ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
{
name = value = line;
value += 7;
@@ -2089,7 +2089,7 @@
/* Check for a comment. This is done to handle those fonts that have */
/* comments before the STARTFONT line for some reason. */
- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
+ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
{
if ( p->opts->keep_comments != 0 && p->font != 0 )
{
@@ -2115,7 +2115,7 @@
{
memory = p->memory;
- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 )
+ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
{
/* we don't emit an error message since this code gets */
/* explicitly caught one level higher */
@@ -2163,7 +2163,7 @@
}
/* Check for the start of the properties. */
- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_BBX ) )
{
@@ -2192,7 +2192,7 @@
}
/* Check for the FONTBOUNDINGBOX field. */
- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
{
if ( !( p->flags & _BDF_SIZE ) )
{
@@ -2223,7 +2223,7 @@
}
/* The next thing to check for is the FONT field. */
- if ( ft_memcmp( line, "FONT", 4 ) == 0 )
+ if ( ft_strncmp( line, "FONT", 4 ) == 0 )
{
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -2258,7 +2258,7 @@
}
/* Check for the SIZE field. */
- if ( ft_memcmp( line, "SIZE", 4 ) == 0 )
+ if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_NAME ) )
{
@@ -2312,7 +2312,7 @@
}
/* Check for the CHARS field -- font properties are optional */
- if ( ft_memcmp( line, "CHARS", 5 ) == 0 )
+ if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
{
char nbuf[128];