37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
|
Fix CVE-2017-13720.
|
||
|
|
|
||
|
|
Copied from upstream source repository:
|
||
|
|
<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>
|
||
|
|
|
||
|
|
|
||
|
|
From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Michal Srb <msrb@suse.com>
|
||
|
|
Date: Thu, 20 Jul 2017 13:38:53 +0200
|
||
|
|
Subject: Check for end of string in PatternMatch (CVE-2017-13720)
|
||
|
|
|
||
|
|
If a pattern contains '?' character, any character in the string is skipped,
|
||
|
|
even if it is '\0'. The rest of the matching then reads invalid memory.
|
||
|
|
|
||
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
||
|
|
|
||
|
|
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
|
||
|
|
index 4ce2473..996b7d1 100644
|
||
|
|
--- a/src/fontfile/fontdir.c
|
||
|
|
+++ b/src/fontfile/fontdir.c
|
||
|
|
@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
|
||
|
|
}
|
||
|
|
}
|
||
|
|
case '?':
|
||
|
|
- if (*string++ == XK_minus)
|
||
|
|
+ if ((t = *string++) == XK_minus)
|
||
|
|
stringdashes--;
|
||
|
|
+ if (!t)
|
||
|
|
+ return 0;
|
||
|
|
break;
|
||
|
|
case '\0':
|
||
|
|
return (*string == '\0');
|
||
|
|
--
|
||
|
|
cgit v0.10.2
|
||
|
|
|