git: 9front

Download patch

ref: bd3dfb0dd23ab4d0ed9ab3c97c0226a7cfd1946d
parent: 685ef37f78f5f2193c2216eff1f9fcb364b9a0dc
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Tue Apr 5 07:24:07 EDT 2016

libdraw: fix out of bounds memory access after subfont array reallocation (thanks ray)

/n/bugs/open/libdrawfont.c_buffer_overflow
http://bugs.9front.org/open/libdrawfont.c_buffer_overflow/readme

ray@raylai.com

Hi all,

In plan9port this bug keeps crashing mc when I run lc in a directory with Chinese characters. This is a diff from OpenBSD but it should apply cleanly to the various plan9 sources.

The code is basically trying to do a realloc (I guess realloc wasn't available back then?) but it copies too much from the original buffer.

Since realloc is available, just use it. If realloc isn't available outside plan9port (I haven't checked) the memmove line should be changed from:
	memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
to:
	memmove(f->subf, of, f->nsubf*sizeof *subf);

I hope this is helpful.

Ray

--- a/sys/src/libdraw/font.c

+++ b/sys/src/libdraw/font.c

@@ -216,16 +216,14 @@

 			subf->age = 0;

 		}else{				/* too recent; grow instead */

 			of = f->subf;

-			f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);

+			f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);

 			if(f->subf == nil){

 				f->subf = of;

 				goto Toss;

 			}

-			memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);

-			memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);

 			subf = &f->subf[f->nsubf];

+			memset(subf, 0, DSUBF*sizeof *subf);

 			f->nsubf += DSUBF;

-			free(of);

 		}

 	}

 	subf->age = 0;

-- 

⑨