GNU bug report logs -
#29523
25.3; buffer overflow in ns-font-name on mac
Previous Next
Reported by: Yuuki Harano <masm-emacs <at> masm11.ddo.jp>
Date: Fri, 1 Dec 2017 16:25:02 UTC
Severity: normal
Found in version 25.3
Done: Alan Third <alan <at> idiocy.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29523 in the body.
You can then email your comments to 29523 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29523; Package
emacs.
(Fri, 01 Dec 2017 16:25:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Yuuki Harano <masm-emacs <at> masm11.ddo.jp>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Fri, 01 Dec 2017 16:25:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
After I evaluate this code on mac Emacs:
(let ((font-name "") (i 0))
(while (< i 100)
(setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
(setq i (1+ i)))
(setq font-name (concat "-*-" font-name "-"))
(ns-font-name font-name)
)
then, Emacs crashes.
The bug is in ns_xlfd_to_fontname() in nsterm.m:
if (!strncmp (xlfd, "--", 2))
sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
else
sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
The positions of "179" are incorrect. They should be:
if (!strncmp (xlfd, "--", 2))
sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
else
sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
Thanks.
In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version 10.12.6 (Build 16G1036))
of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
'configure --without-x --with-ns --with-modules
PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'
Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES
Important settings:
value of $LANG: ja_JP.UTF-8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
buffer-read-only: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)
Memory information:
((conses 16 220523 8595)
(symbols 48 21882 0)
(miscs 40 81 191)
(strings 32 23156 7162)
(string-bytes 1 718249)
(vectors 16 44445)
(vector-slots 8 816828 4794)
(floats 8 194 21)
(intervals 56 193 0)
(buffers 976 18))
--
Yuuki Harano
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29523; Package
emacs.
(Fri, 01 Dec 2017 19:44:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 29523 <at> debbugs.gnu.org (full text, mbox):
On Fri, Dec 01, 2017 at 11:53:34PM +0900, Yuuki Harano wrote:
> After I evaluate this code on mac Emacs:
>
> (let ((font-name "") (i 0))
> (while (< i 100)
> (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
> (setq i (1+ i)))
> (setq font-name (concat "-*-" font-name "-"))
> (ns-font-name font-name)
> )
>
> then, Emacs crashes.
>
> The bug is in ns_xlfd_to_fontname() in nsterm.m:
>
> if (!strncmp (xlfd, "--", 2))
> sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> else
> sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
>
> The positions of "179" are incorrect. They should be:
>
> if (!strncmp (xlfd, "--", 2))
> sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> else
> sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
Thanks for the fix. I expect this is copyright exempt, so I’ll push
the fix to emacs-26 soon.
--
Alan Third
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#29523; Package
emacs.
(Sat, 02 Dec 2017 08:11:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 29523 <at> debbugs.gnu.org (full text, mbox):
> Date: Fri, 1 Dec 2017 19:43:08 +0000
> From: Alan Third <alan <at> idiocy.org>
> Cc: 29523 <at> debbugs.gnu.org
>
> > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> >
> > if (!strncmp (xlfd, "--", 2))
> > sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > else
> > sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> >
> > The positions of "179" are incorrect. They should be:
> >
> > if (!strncmp (xlfd, "--", 2))
> > sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > else
> > sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
>
> Thanks for the fix. I expect this is copyright exempt
It is.
Thanks.
Reply sent
to
Alan Third <alan <at> idiocy.org>:
You have taken responsibility.
(Sat, 02 Dec 2017 13:51:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Yuuki Harano <masm-emacs <at> masm11.ddo.jp>:
bug acknowledged by developer.
(Sat, 02 Dec 2017 13:51:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 29523-done <at> debbugs.gnu.org (full text, mbox):
On Sat, Dec 02, 2017 at 10:10:09AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 1 Dec 2017 19:43:08 +0000
> > From: Alan Third <alan <at> idiocy.org>
> > Cc: 29523 <at> debbugs.gnu.org
> >
> > > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > >
> > > if (!strncmp (xlfd, "--", 2))
> > > sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > > else
> > > sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > >
> > > The positions of "179" are incorrect. They should be:
> > >
> > > if (!strncmp (xlfd, "--", 2))
> > > sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > > else
> > > sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> >
> > Thanks for the fix. I expect this is copyright exempt
>
> It is.
Thanks for the confirmation. I’ve pushed to emacs-26.
--
Alan Third
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 31 Dec 2017 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 229 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.