From unknown Sun Aug 17 01:43:59 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Resent-From: Yuuki Harano <masm-emacs@masm11.ddo.jp>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 01 Dec 2017 16:25:02 +0000
Resent-Message-ID: <handler.29523.B.151214545110202@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 29523
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: 29523@debbugs.gnu.org
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.151214545110202
          (code B ref -1); Fri, 01 Dec 2017 16:25:02 +0000
Received: (at submit) by debbugs.gnu.org; 1 Dec 2017 16:24:11 +0000
Received: from localhost ([127.0.0.1]:40262 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eKo6l-0002eS-0a
	for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:24:11 -0500
Received: from eggs.gnu.org ([208.118.235.92]:35675)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKnw8-0002Jg-Bo
 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:13:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKnvB-0008Tk-Gh
 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:13:06 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:57456)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <masm@masm11.ddo.jp>) id 1eKnvA-0008Rz-Tf
 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:12:13 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51779)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKntg-0005XX-N8
 for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 11:12:12 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKnsa-0005Eq-7C
 for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 11:10:37 -0500
Received: from va163-44-175-38-f.a078.g.tyo1.static.cnode.io
 ([2400:8500:1302:815:a163:44:175:38f]:42418 helo=mail.masm11.ddo.jp)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <masm@masm11.ddo.jp>) id 1eKnsY-000556-OU
 for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 11:09:31 -0500
Received: from luna.pink.masm11.ddo.jp (unknown [IPv6:240f:96:8968:1::3165])
 by mail.masm11.ddo.jp (Postfix) with ESMTPSA id 39DC3220109
 for <bug-gnu-emacs@gnu.org>; Fri,  1 Dec 2017 23:53:37 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=masm11.ddo.jp;
 s=201710; t=1512140017;
 bh=XFUeYnUfno7Vf+/5LIPj33V/OntDUG5ZUQhfGYBFTtg=;
 h=Date:To:Subject:From;
 b=sBF1pLzB3bc2K78QkqI/LOLSZw9UISSYpLZMCxELtgNew/N6+Zq2VnQbMjgwdiO7Z
 VyCATDrAVNBxng6dDYjT2PDD+jIReA379YiDQtP3pJFsrHvF/oWQHg6AFZ6PAVFMiT
 fUA4O0JStElz0FKVwzO4gQh6Ad8iwr2IuSUUT9wk=
Date: Fri, 01 Dec 2017 23:53:34 +0900 (JST)
Message-Id: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
From: Yuuki Harano <masm-emacs@masm11.ddo.jp>
Organization: Ingage Inc.
X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Mailman-Approved-At: Fri, 01 Dec 2017 11:24:09 -0500
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

After I evaluate this code on mac Emacs:

(let ((font-name "") (i 0))
  (while (< i 100)
    (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
    (setq i (1+ i)))
  (setq font-name (concat "-*-" font-name "-"))
  (ns-font-name font-name)
  )

then, Emacs crashes.

The bug is in ns_xlfd_to_fontname() in nsterm.m:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
  else
    sscanf (xlfd, "-%*[^-]-%[^-]179-", name);

The positions of "179" are incorrect. They should be:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
  else
    sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks.


In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version 10.12.6 (Build 16G1036))
 of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
 'configure --without-x --with-ns --with-modules
 PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'

Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES

Important settings:
  value of $LANG: ja_JP.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)

Memory information:
((conses 16 220523 8595)
 (symbols 48 21882 0)
 (miscs 40 81 191)
 (strings 32 23156 7162)
 (string-bytes 1 718249)
 (vectors 16 44445)
 (vector-slots 8 816828 4794)
 (floats 8 194 21)
 (intervals 56 193 0)
 (buffers 976 18))

-- 
Yuuki Harano




From unknown Sun Aug 17 01:43:59 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Resent-From: Alan Third <alan@idiocy.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 01 Dec 2017 19:44:02 +0000
Resent-Message-ID: <handler.29523.B29523.151215740011331@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 29523
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Yuuki Harano <masm-emacs@masm11.ddo.jp>
Cc: 29523@debbugs.gnu.org
Received: via spool by 29523-submit@debbugs.gnu.org id=B29523.151215740011331
          (code B ref 29523); Fri, 01 Dec 2017 19:44:02 +0000
Received: (at 29523) by debbugs.gnu.org; 1 Dec 2017 19:43:20 +0000
Received: from localhost ([127.0.0.1]:40514 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eKrDU-0002wh-BG
	for submit@debbugs.gnu.org; Fri, 01 Dec 2017 14:43:20 -0500
Received: from mail-wr0-f172.google.com ([209.85.128.172]:33081)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <athird@googlemail.com>) id 1eKrDS-0002wU-Gd
 for 29523@debbugs.gnu.org; Fri, 01 Dec 2017 14:43:18 -0500
Received: by mail-wr0-f172.google.com with SMTP id v22so11248949wrb.0
 for <29523@debbugs.gnu.org>; Fri, 01 Dec 2017 11:43:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=googlemail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:content-transfer-encoding:in-reply-to
 :user-agent; bh=7Zh5WIM8Om8hdko+fPhx9bxbUIb2RL1NWxzGDa4tARo=;
 b=qfEHKQE3So7JO9n/mrlmKpWjG2DD32I5yGcETKrDokblxnBY/B9az5ks/GSmOGTVwI
 cfPj00spm0YTAcrCOanWUesXrNxjtuDkjsLhak1dbwEQ0fqqD/TY6buoGl/YH+tVk+n8
 q18BGNSMYaVenNLc4bvLGjsGlgPEaTxUJzIi791gd2F8lOwcdF1l+XtSH+5FMSMf2HMh
 2foy5jxQi5A6FLcjVr/5MDKTxJzMSRN0aW+KQfLVP0S/AciNktxPo5FBWI76N/vQ4evV
 4G5dIrdlO9KAMGfRstkH4wvL/kAjVcpYkfaDBd0k66GmuWQlaBizmcrKw+QrWCQuG5R4
 MBZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition
 :content-transfer-encoding:in-reply-to:user-agent;
 bh=7Zh5WIM8Om8hdko+fPhx9bxbUIb2RL1NWxzGDa4tARo=;
 b=s8D1iyOI8GgzLRPsW9gTwfH7b4iUBcCuaMtgQSr5IM8EALbfrCfIiGjA/Y3AuxccQj
 GU4KZwm1FZut5wOo8ubo0dut0ZSs5nfpoSX/fGBAM7Ucy1pxhkXVE93kdC6THYU5LKbu
 HAQ0BDLdgX4tarFZbKlHIYJSdAMfkvtexONn4yNya5/X3aja6HDTSdajhUtcJ9r1c/Tx
 joSvRehMLZ5V0r1bBQu4AEN00zr+RV50BQtNUWuuYO3wsLHuLz/iey1y7Qw04Ovqs0rc
 xOn7ahtXQK2US27yjHXrygQWbHYPwGqunmsay4acIhltCE2YFrdoZl6ORHqf6/dtw3nN
 Wxiw==
X-Gm-Message-State: AJaThX7xXTSsAsWBx0fyjKtr4PZYOLxB+3sIlmPmh1UgN8WuwzAfHONJ
 b3amQV8P3pOs8+Ew7p19CNM=
X-Google-Smtp-Source: AGs4zMYd1RsAoflX9PMnPwbzzaCJIfRGCYEqrxmos/kXPQVyWs8/Q9+qB0zNc8hAV0iGI1hljS7zeA==
X-Received: by 10.223.188.141 with SMTP id g13mr6510744wrh.169.1512157391727; 
 Fri, 01 Dec 2017 11:43:11 -0800 (PST)
Received: from breton.holly.idiocy.org
 (ip6-2001-08b0-03f8-8129-0103-f24d-4eeb-971e.holly.idiocy.org.
 [2001:8b0:3f8:8129:103:f24d:4eeb:971e])
 by smtp.gmail.com with ESMTPSA id 88sm32001wrf.20.2017.12.01.11.43.10
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 01 Dec 2017 11:43:10 -0800 (PST)
Date: Fri, 1 Dec 2017 19:43:08 +0000
From: Alan Third <alan@idiocy.org>
Message-ID: <20171201194308.GA44478@breton.holly.idiocy.org>
References: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

On Fri, Dec 01, 2017 at 11:53:34PM +0900, Yuuki Harano wrote:
> After I evaluate this code on mac Emacs:
> 
> (let ((font-name "") (i 0))
>   (while (< i 100)
>     (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
>     (setq i (1+ i)))
>   (setq font-name (concat "-*-" font-name "-"))
>   (ns-font-name font-name)
>   )
> 
> then, Emacs crashes.
> 
> The bug is in ns_xlfd_to_fontname() in nsterm.m:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> 
> The positions of "179" are incorrect. They should be:
> 
>   if (!strncmp (xlfd, "--", 2))
>     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
>   else
>     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks for the fix. I expect this is copyright exempt, so I’ll push
the fix to emacs-26 soon.
-- 
Alan Third




From unknown Sun Aug 17 01:43:59 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 02 Dec 2017 08:11:02 +0000
Resent-Message-ID: <handler.29523.B29523.151220224226867@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 29523
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Alan Third <alan@idiocy.org>
Cc: 29523@debbugs.gnu.org, masm-emacs@masm11.ddo.jp
Reply-To: Eli Zaretskii <eliz@gnu.org>
Received: via spool by 29523-submit@debbugs.gnu.org id=B29523.151220224226867
          (code B ref 29523); Sat, 02 Dec 2017 08:11:02 +0000
Received: (at 29523) by debbugs.gnu.org; 2 Dec 2017 08:10:42 +0000
Received: from localhost ([127.0.0.1]:40948 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eL2sj-0006zH-Me
	for submit@debbugs.gnu.org; Sat, 02 Dec 2017 03:10:41 -0500
Received: from eggs.gnu.org ([208.118.235.92]:46713)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1eL2sg-0006yy-0j
 for 29523@debbugs.gnu.org; Sat, 02 Dec 2017 03:10:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eliz@gnu.org>) id 1eL2sV-0001ND-Ps
 for 29523@debbugs.gnu.org; Sat, 02 Dec 2017 03:10:32 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44404)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
 id 1eL2sV-0001N1-MK; Sat, 02 Dec 2017 03:10:27 -0500
Received: from [176.228.60.248] (port=3846 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@gnu.org>)
 id 1eL2sV-0008Kf-5r; Sat, 02 Dec 2017 03:10:27 -0500
Date: Sat, 02 Dec 2017 10:10:09 +0200
Message-Id: <83r2sd1rfi.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
In-reply-to: <20171201194308.GA44478@breton.holly.idiocy.org> (message from
 Alan Third on Fri, 1 Dec 2017 19:43:08 +0000)
References: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
 <20171201194308.GA44478@breton.holly.idiocy.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

> Date: Fri, 1 Dec 2017 19:43:08 +0000
> From: Alan Third <alan@idiocy.org>
> Cc: 29523@debbugs.gnu.org
> 
> > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > 
> >   if (!strncmp (xlfd, "--", 2))
> >     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> >   else
> >     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > 
> > The positions of "179" are incorrect. They should be:
> > 
> >   if (!strncmp (xlfd, "--", 2))
> >     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> >   else
> >     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> 
> Thanks for the fix. I expect this is copyright exempt

It is.

Thanks.




From unknown Sun Aug 17 01:43:59 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Yuuki Harano <masm-emacs@masm11.ddo.jp>
Subject: bug#29523: closed (Re: bug#29523: 25.3; buffer overflow in
 ns-font-name on mac)
Message-ID: <handler.29523.D29523.151222263331301.notifdone@debbugs.gnu.org>
References: <20171202135021.GA77693@breton.holly.idiocy.org>
 <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
X-Gnu-PR-Message: they-closed 29523
X-Gnu-PR-Package: emacs
Reply-To: 29523@debbugs.gnu.org
Date: Sat, 02 Dec 2017 13:51:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1512222662-31336-1"

This is a multi-part message in MIME format...

------------=_1512222662-31336-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#29523: 25.3; buffer overflow in ns-font-name on mac

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 29523@debbugs.gnu.org.

--=20
29523: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D29523
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1512222662-31336-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 29523-done) by debbugs.gnu.org; 2 Dec 2017 13:50:33 +0000
Received: from localhost ([127.0.0.1]:41070 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eL8Bd-00088n-4o
	for submit@debbugs.gnu.org; Sat, 02 Dec 2017 08:50:33 -0500
Received: from mail-wm0-f46.google.com ([74.125.82.46]:41413)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <athird@googlemail.com>) id 1eL8Ba-00088Z-Ol
 for 29523-done@debbugs.gnu.org; Sat, 02 Dec 2017 08:50:31 -0500
Received: by mail-wm0-f46.google.com with SMTP id g75so7930457wme.0
 for <29523-done@debbugs.gnu.org>; Sat, 02 Dec 2017 05:50:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=googlemail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:content-transfer-encoding:in-reply-to
 :user-agent; bh=uHVHGJfDe5NwJrbhWkBNipi7fG2Mp2XEm1KxKJShLxw=;
 b=V+DGZZ2E3dcM2t++0zZ5l9GBRhwt/xgeWgkqEYLSby7kroBMqEohu8EOVADWmkrfr6
 YbqH0KRgLn7o0eMRF1wmeWPmOpmoMtwptATJgDhoSX2K0iyR3tL51ODxPTe6tJ/8vvRk
 T/zabwifVIJzJzCZ/0ohY5e1BKJKB/+zFW7RSrJ9MLgxTou4II+sWl0NEqIOBq/xgOl5
 KuheBVuYVC5QAQOAg1y4NZEl6wOq032si4KdXL3PCXV7mjvD925Oo8Lbe7O/J9Hh1k45
 hW05v+KmZ3GGqTGIA4tcJy4rg4ovNLnYq431HnLX3JsoSPQcIk9lLUOp3iaAbUltx/J2
 3/Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition
 :content-transfer-encoding:in-reply-to:user-agent;
 bh=uHVHGJfDe5NwJrbhWkBNipi7fG2Mp2XEm1KxKJShLxw=;
 b=e5NHxJ1X/B1qXe2fr101kni4Ae2csAOCTvS5Ya9IWbNGDh+9feOyWNtBMFGabPNSDc
 JQrVXqB3hcF/rE7V6Ucvqg0lZ3xL4/tlrQqHRi1hnj6ZKQs3VC8jy6N2xq3PPUW+nRs4
 BjDCLGp/KwJ27hfU+/ViG7JGeLyIezYqYFO96Bpaf2wtn7zKoDHggN8QSPpjfap6zZEY
 NIzKDBOYbDxCWEWcYHYZkCkM7xkE4r5sOgicNM9n3Mk3mry/nQD5XNly6gkUWfiS9HfC
 45Iapd+FnJN2gI9wjrfgQZ0uVMSKC1f+nUXC61ck629EtxdJPRHRtnaiwYK+K04ARNF3
 uDAg==
X-Gm-Message-State: AKGB3mJno6k88nXUPqmo4TIFTDSM7UjsVokkUHZgg2Xd+musz2Aru/b0
 RbpuWGc7VEOgAHkAnC0yPwg=
X-Google-Smtp-Source: AGs4zMaUfCMwYB9wTNPfaMvE3UvgfsKJ+4mNd56nYUAe9ejwrml4X+JnrcZ88U8jgdBXQdI/PLHDfg==
X-Received: by 10.28.229.213 with SMTP id c204mr3973268wmh.57.1512222624846;
 Sat, 02 Dec 2017 05:50:24 -0800 (PST)
Received: from breton.holly.idiocy.org
 (ip6-2001-08b0-03f8-8129-0103-f24d-4eeb-971e.holly.idiocy.org.
 [2001:8b0:3f8:8129:103:f24d:4eeb:971e])
 by smtp.gmail.com with ESMTPSA id o22sm12394478wrb.40.2017.12.02.05.50.23
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 02 Dec 2017 05:50:24 -0800 (PST)
Date: Sat, 2 Dec 2017 13:50:21 +0000
From: Alan Third <alan@idiocy.org>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#29523: 25.3; buffer overflow in ns-font-name on mac
Message-ID: <20171202135021.GA77693@breton.holly.idiocy.org>
References: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
 <20171201194308.GA44478@breton.holly.idiocy.org>
 <83r2sd1rfi.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <83r2sd1rfi.fsf@gnu.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 29523-done
Cc: 29523-done@debbugs.gnu.org, masm-emacs@masm11.ddo.jp
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

On Sat, Dec 02, 2017 at 10:10:09AM +0200, Eli Zaretskii wrote:
> > Date: Fri, 1 Dec 2017 19:43:08 +0000
> > From: Alan Third <alan@idiocy.org>
> > Cc: 29523@debbugs.gnu.org
> > 
> > > The bug is in ns_xlfd_to_fontname() in nsterm.m:
> > > 
> > >   if (!strncmp (xlfd, "--", 2))
> > >     sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
> > >   else
> > >     sscanf (xlfd, "-%*[^-]-%[^-]179-", name);
> > > 
> > > The positions of "179" are incorrect. They should be:
> > > 
> > >   if (!strncmp (xlfd, "--", 2))
> > >     sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
> > >   else
> > >     sscanf (xlfd, "-%*[^-]-%179[^-]-", name);
> > 
> > Thanks for the fix. I expect this is copyright exempt
> 
> It is.

Thanks for the confirmation. I’ve pushed to emacs-26.
-- 
Alan Third


------------=_1512222662-31336-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 1 Dec 2017 16:24:11 +0000
Received: from localhost ([127.0.0.1]:40262 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eKo6l-0002eS-0a
	for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:24:11 -0500
Received: from eggs.gnu.org ([208.118.235.92]:35675)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKnw8-0002Jg-Bo
 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:13:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKnvB-0008Tk-Gh
 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:13:06 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:57456)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <masm@masm11.ddo.jp>) id 1eKnvA-0008Rz-Tf
 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 11:12:13 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51779)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKntg-0005XX-N8
 for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 11:12:12 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <masm@masm11.ddo.jp>) id 1eKnsa-0005Eq-7C
 for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 11:10:37 -0500
Received: from va163-44-175-38-f.a078.g.tyo1.static.cnode.io
 ([2400:8500:1302:815:a163:44:175:38f]:42418 helo=mail.masm11.ddo.jp)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <masm@masm11.ddo.jp>) id 1eKnsY-000556-OU
 for bug-gnu-emacs@gnu.org; Fri, 01 Dec 2017 11:09:31 -0500
Received: from luna.pink.masm11.ddo.jp (unknown [IPv6:240f:96:8968:1::3165])
 by mail.masm11.ddo.jp (Postfix) with ESMTPSA id 39DC3220109
 for <bug-gnu-emacs@gnu.org>; Fri,  1 Dec 2017 23:53:37 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=masm11.ddo.jp;
 s=201710; t=1512140017;
 bh=XFUeYnUfno7Vf+/5LIPj33V/OntDUG5ZUQhfGYBFTtg=;
 h=Date:To:Subject:From;
 b=sBF1pLzB3bc2K78QkqI/LOLSZw9UISSYpLZMCxELtgNew/N6+Zq2VnQbMjgwdiO7Z
 VyCATDrAVNBxng6dDYjT2PDD+jIReA379YiDQtP3pJFsrHvF/oWQHg6AFZ6PAVFMiT
 fUA4O0JStElz0FKVwzO4gQh6Ad8iwr2IuSUUT9wk=
Date: Fri, 01 Dec 2017 23:53:34 +0900 (JST)
Message-Id: <20171201.235334.2302300328404793169.masm@luna.pink.masm11.ddo.jp>
To: bug-gnu-emacs@gnu.org
Subject: 25.3; buffer overflow in ns-font-name on mac
From: Yuuki Harano <masm-emacs@masm11.ddo.jp>
Organization: Ingage Inc.
X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Fri, 01 Dec 2017 11:24:09 -0500
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

After I evaluate this code on mac Emacs:

(let ((font-name "") (i 0))
  (while (< i 100)
    (setq font-name (concat font-name "abcdefghijklmnopqrstuvwxyz"))
    (setq i (1+ i)))
  (setq font-name (concat "-*-" font-name "-"))
  (ns-font-name font-name)
  )

then, Emacs crashes.

The bug is in ns_xlfd_to_fontname() in nsterm.m:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%[^-]179-", name);
  else
    sscanf (xlfd, "-%*[^-]-%[^-]179-", name);

The positions of "179" are incorrect. They should be:

  if (!strncmp (xlfd, "--", 2))
    sscanf (xlfd, "--%*[^-]-%179[^-]-", name);
  else
    sscanf (xlfd, "-%*[^-]-%179[^-]-", name);

Thanks.


In GNU Emacs 25.3.1 (x86_64-apple-darwin16.7.0, NS appkit-1504.83 Version 10.12.6 (Build 16G1036))
 of 2017-12-01 built on yuukinombp.pink.masm11.ddo.jp
Windowing system distributor 'Apple', version 10.3.1504
Configured using:
 'configure --without-x --with-ns --with-modules
 PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig'

Configured features:
NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES

Important settings:
  value of $LANG: ja_JP.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec password-cache epg gnus-util mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047
rfc2045 ietf-drums mm-util help-fns mail-prsvr mail-utils ibuf-macs
ibuffer finder-inf info package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
time-date mule-util japan-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)

Memory information:
((conses 16 220523 8595)
 (symbols 48 21882 0)
 (miscs 40 81 191)
 (strings 32 23156 7162)
 (string-bytes 1 718249)
 (vectors 16 44445)
 (vector-slots 8 816828 4794)
 (floats 8 194 21)
 (intervals 56 193 0)
 (buffers 976 18))

-- 
Yuuki Harano



------------=_1512222662-31336-1--