From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 00:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 51105@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16337394483493 (code B ref -1); Sat, 09 Oct 2021 00:31:01 +0000 Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 00:30:48 +0000 Received: from localhost ([127.0.0.1]:52113 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ0GF-0000tb-BC for submit@debbugs.gnu.org; Fri, 08 Oct 2021 20:30:48 -0400 Received: from lists.gnu.org ([209.51.188.17]:59112) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ0GD-0000rx-S9 for submit@debbugs.gnu.org; Fri, 08 Oct 2021 20:30:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48880) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZ0GD-0006jl-H4 for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:30:45 -0400 Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:41566) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZ0GA-0007c1-74 for bug-gnu-emacs@gnu.org; Fri, 08 Oct 2021 20:30:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633739437; bh=X8j5aMGFBhQVPOjLwAMS5ZiI0YLjq39S5ygV/095g6Y=; h=From:To:Subject:Date:References:From:Subject:Reply-To; b=SHNOY4ZsnRG1SAGNZ0v/q7XSZ82FjjxllI2YeQNnJwfHF6AVFcb3DrHxJ+W/SFdTnHjDHUuUYAjNwSOwu/yyeUwPwQlSO4onMaptV/28HkV8Fyx18oO3SMAg2fXymoL/QvNBevh1ftBZ0j5Roj3G8hBqq1k9eW5F/FxvZAS+yYWkcwGT606EMJT/hJM9RD1mpvVr1N6immYCC/XNQi4K7+cETDp9cd+G5c/YkJFZlee6B3p3O7hr/qBEAgCGFSQ6rn/RJ8npr0qdwJBK10RPfm/jtSGHKsbLDQyM4CY/LcDewnRR2/gO4gJqhatQMYq7Vhjy4vdfgC4BrBrvt9Wl/g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633739437; bh=sVVVp+bTRFlWWJkVsNqTEksKK4uZJ/KRkq/yw/CcBM0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=QLpBpvzt3uEIy7NAFAUJZ2K9SsKRdU4FmUDYOLadQkUEI4dTmBP0AyUvkgC7+NGYsyFai6KFLthzqg19E68bj1wDWNMCvFGO946ijPmnUBx7h1d3hlVgT8Q1QgMihdvyLCVoLQHvgfUrcwwOOz7bdnitc0Vv5dJpjuLVt6ai0Gf2//cVJp4yKhPKcAlh8Q5rb2xWNOCy24/CSvw4J+kHUEfMtySSqIbtc/9eMtOSw4lw1lD4GE+ZaxQG1Cq2vNMkt5KEKT6BdA9bDFStKGoPd92Edk7LKrMV7vDdAZW3nf1c0CHYZgDyzqOlHB3G12gigsjF1RjhrlUkkOlpn3oECw== X-YMail-OSG: 72LaS34VM1lBp1qfSO7RL9iXboJopdcDKztEhewAT5Z0TOoy_4luFZyYZvrcyGJ aAoLnjHk8ZWvbHT45Cf6n5WKOGyHUGG4aPox5mQz9lFZZimNQoIOJUgGCqFNOsATUFwlQlUHh3Uv jRMhkDRUxvr2_j4D2be8k9j2W4sACBxtr6J3lwCxFSzaTz763hZYjyoVDpc5qPsTTBSuk5iFcTy1 92kxBgyf2dknBsV8pAmij1xLBkQLh11o1FP3rbfpYBmot4M2HRqCMDoOeTjz850OwSr.ewcpFYNc ZU_dshY0W91BmohWn6tyeapXVIzzGWR8R79WxHMohQa7LwAyfGpO1d.mLp1AtJ2nSCUwzqQiJk7M Nw27_kCR2K0jO48Mm996gcf3wWdnpHjZNzgNkKYFOC9VAs7FEjh5w7rhZRnW7EvE5sLBF3GKxwqo 1TcfxLhc2yNRHeeFsrN3_1tZf4CXC.i0E7NBjBwQrd.Dbzzv5bqp46ZB.9x28Ig_P7wGLyyopids cucOa0faOjp2lv5ahAm8uKnDGDCLk3XoOCHGaH7oRgX4P8KjbnTU9YnDj_PJ0pVmAq0xk8HfNwCm JTPy4_wCSJivuapXtvVrkpoq05UWztAqC0SX3Q0EqKHW7ZsRn_RHNGTdNSR9jGlUrN5Jiq96B6Ta CVE_BC.J0pKCi6iCKeb26NWVLRthJJDMUeC46oGc48VZj5BIRZL.5oRK_H0jfCOpBTBmjMWNW1eF KYlsnQSfnozxtgtNyQ4F4839iS4_MRI0syI2h15keieSI.nnKZfysOXPQva4U4lWKncDXGu2H.iT Opb6Eauy3wIE36_KLDcUn0ZrC7r2TprslBQ8gXPz66ElQKNRfDhzZfAqyUHnTZbztLCpYj_MgGTV VfSXA9v4qrksrcbMpRAtgSMfcsL40seoKxY5oaoDR8lRLr.KLWGnPdyB51Fwee52OZlv4hkcy0nj Rc.66fcg7icFgubxUrM65REib6y3MNguuJclaRG3MaU6SgMYvePoadrZY9u4JVRqhMHMxM6BN0yS eIaucDWOETKnbSwvWgohKE370xkjMhftBzHp7u9pjdgKcgWPE1AE6M7g6M9984emHxA61Ksl3ghl 1qwcK.nMSrhhKXK9sm0rBIxAhI2B2ORVWI.nymXDDivnx_wcvkb9hsW_9_hjU8B0TDxz35easKcv Tlbg3ROaeKhDACm0hWLuRM2vbUEyok7HlMJx2qXssDlZ6gSigiZADCpHLwZFLaLAGxplhh8mn8Wi UEyB5X8WCoFi.0FxDEvmSqupzNjpdj.QLVrcA.IFSBd.7CWt96BdKnVr27JidBjGLT_XW.JZ0ZZI GokkWVtts6k6rLotpDb2UZz19CpEkg9hWASDlEBhlCOvZwdfw26hQFrjiFsb6tdEP9Yqk4KEtLt6 IyWaJY2ityvhaO4BWyCzCcM2qago5Mc.jbgQdiFJes4Fu_6m_U2JXc7kufvDOGr6Ws8ND1bRzwjy zOkKuA.zlGQK2UvJ4VM_2Q46kepGHJ5OrYnrmXNSl78DNrMRGa65EGJtMx8gP6afjUKpdBy4MJU7 FzB8byFpEjvUpqlSU9zXL92I.JKYWp23.Qe8qyIwaPMxqy0cDAEyR2cp.SnHfQjsbLBo.YkPgzKm tshAw07_uM94gybu4B4ZnUy3TLqPXwY4JCYeAw2OSbM0R6CJ0dGe02LdIoyAbx.koOuPYlaCXlU4 avmGFn2pL.uKUiOFW7Nw2gtBs_zg9w50UWCQOlsjsaOH5rKxhudqJfblz9yuJ1Lmn0A5ZV4SWVMX afBuNoucxYzx4twEC94QcjYdhS.zIQAk1D3qP5BZ9y9Xf9AZpLG7xtD5gocMiohMlzi2Wvzy.Szj toZnP2XVv1cMXyX1XTfVsk2aic8rHIeNArWY8FeFkamrtbVBqDnUledYxwup.cNV3yFVMaZK7Ccf kgdAaOjFue6vPss9MtLsri3Etr1zFfzn6h11PtxGhT9kObt4weMRjrRu5cm3aKmWFT9J5P5ITYIC GRgIfSVZaB2tjahs5QRVWLe.QDGL4D3kBPnGxkG39Sml5PTYkPPoCsAFJVeOH3SD8vNPOUESsWAW KsV2nDvhFLsmqNH_05aJSSy.OXl5vdSBYRuS9TjSzOKCbXzxrCiEzsWzrfYXEYmiV24LFMNpL1SV a0fvq__d2vRbksCrhMjYlp8zKmpJMCh5rnNx4hVflytY8cU7MEkIbquU4tw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 00:30:37 +0000 Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 48833493ecb42c401f6e9699cd612d11; Sat, 09 Oct 2021 00:30:34 +0000 (UTC) From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Date: Sat, 09 Oct 2021 02:30:33 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain References: X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 8212 Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@yahoo.es; helo=sonic313-21.consmr.mail.ir2.yahoo.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) There is a buffer overflow bug in the function ns_compute_glyph_string_overhangs with some particular information received from the display engine. (I haven't reduced the test case yet so you may not reproduce the issue with the following recipe.) emacs -Q Attach a debugger to the Emacs process and add the following conditional breakpoint: br set -f nsterm.m -l 2853 -c 's->nchars==0' Continue running Emacs M-x eww RET wikipedia.org RET The debugger will stop with the following backtrace: * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 * frame #0: 0x000000010e25a20e emacs`ns_compute_glyph_string_overhangs(s=0x00007ffee232ef40) at nsterm.m:2853:7 frame #1: 0x000000010da4cbdf emacs`draw_glyphs(w=0x00006210000ac130, x=66, row=0x000062b00029ae00, area=TEXT_AREA, start=0, end=12, hl=DRAW_NORMAL_TEXT, overlaps=0) at xdisp.c:29036:4 frame #2: 0x000000010da49bd0 emacs`gui_write_glyphs(w=0x00006210000ac130, updated_row=0x000062b00029ae00, start=0x0000629001be4200, updated_area=TEXT_AREA, len=12) at xdisp.c:31179:7 frame #3: 0x000000010d90bc4d emacs`update_text_area(w=0x00006210000ac130, updated_row=0x000062b00029ae00, vpos=28) at dispnew.c:3934:2 frame #4: 0x000000010d902191 emacs`update_window_line(w=0x00006210000ac130, vpos=28, mouse_face_overwritten_p=0x00007ffee2331720) at dispnew.c:4177:11 frame #5: 0x000000010d8d84f7 emacs`update_window(w=0x00006210000ac130, force_p=true) at dispnew.c:3680:19 frame #6: 0x000000010d8d9bbc emacs`update_window_tree(w=0x00006210000ac130, force_p=true) at dispnew.c:3405:14 frame #7: 0x000000010d8d67e6 emacs`update_frame(f=0x00006210000ad530, force_p=true, inhibit_hairy_id_p=false) at dispnew.c:3240:18 frame #8: 0x000000010d9db568 emacs`redisplay_internal at xdisp.c:16160:16 frame #9: 0x000000010d9eb0a9 emacs`redisplay_preserve_echo_area(from_where=12) at xdisp.c:16429:7 frame #10: 0x000000010e0cb8e1 emacs`wait_reading_process_output(time_limit=0, nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=0x0000000000000000, wait_proc=0x0000000000000000, just_wait_proc=0) at process.c:5789:7 frame #11: 0x000000010dd99c82 emacs`kbd_buffer_get_event(kbp=0x00007ffee23371c0, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:3924:4 frame #12: 0x000000010dd9825e emacs`read_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2198:7 frame #13: 0x000000010dd6a19a emacs`read_decoded_event_from_main_queue(end_time=0x0000000000000000, local_getcjmp=0x00007ffee2338300, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0) at keyboard.c:2262:11 frame #14: 0x000000010dd632c8 emacs`read_char(commandflag=1, map=0x00006290003eb8a3, prev_event=0x0000000000000000, used_mouse_menu=0x00007ffee23386c0, end_time=0x0000000000000000) at keyboard.c:2892:11 frame #15: 0x000000010dd58e1d emacs`read_key_sequence(keybuf=0x00007ffee23393a0, prompt=0x0000000000000000, dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9619:12 frame #16: 0x000000010dd539f3 emacs`command_loop_1 at keyboard.c:1392:15 frame #17: 0x000000010dfa45d9 emacs`internal_condition_case(bfun=(emacs`command_loop_1 at keyboard.c:1278), handlers=0x0000000000000090, hfun=(emacs`cmd_error at keyboard.c:936)) at eval.c:1453:25 frame #18: 0x000000010dd52903 emacs`command_loop_2(handlers=0x0000000000000090) at keyboard.c:1133:11 frame #19: 0x000000010dfa2ff9 emacs`internal_catch(tag=0x000000000000df80, func=(emacs`command_loop_2 at keyboard.c:1129), arg=0x0000000000000090) at eval.c:1184:25 frame #20: 0x000000010dd50f81 emacs`command_loop at keyboard.c:1111:2 frame #21: 0x000000010dd50c9b emacs`recursive_edit_1 at keyboard.c:720:9 frame #22: 0x000000010dd5147a emacs`Frecursive_edit at keyboard.c:803:3 frame #23: 0x000000010dd4a05a emacs`main(argc=2, argv=0x00007ffee233a310) at emacs.c:2310:3 frame #24: 0x00007fff20496f3d libdyld.dylib`start + 1 This line in nsterm.m will be executed and is problematic: codes[1] = *(s->char2b + s->nchars - 1); When s->nchars is 0, the code will reference one position before s->char2b. I have two questions: 1) Is there any reason the function chooses the first and last glyphs instead of passing the whole glyph string and rely on text_extents to perfom boundary checks? That is, I propose: diff --git a/src/nsterm.m b/src/nsterm.m index a6c2e7505b..207da60481 100644 --- a/src/nsterm.m +++ b/src/nsterm.m @@ -2853,11 +2853,7 @@ Hide the window (X11 semantics) if (s->char2b) { struct font_metrics metrics; - unsigned int codes[2]; - codes[0] = *(s->char2b); - codes[1] = *(s->char2b + s->nchars - 1); - - font->driver->text_extents (font, codes, 2, &metrics); + font->driver->text_extents (font, s->char2b, s->nchars, &metrics); s->left_overhang = -metrics.lbearing; s->right_overhang = metrics.rbearing > metrics.width This way to call the text_extents API is also implemented in w32term.c and xterm.c. 2) The root cause of the issue may be that s->nchars is 0 when it shouldn't. Is there any legitimate scenario where the display engine may call this routine with s->nchars equal to 0? If so, what are those situations? In GNU Emacs 29.0.50 (build 1, x86_64-apple-darwin20.6.0, NS appkit-2022.60 Version 11.6 (Build 20G165)) of 2021-10-09 built on Daniels-MacBook-Pro.local Repository revision: 36d7c4af7c83c4f3ea9ab9fdd0822b986564d78e Repository branch: master Windowing system distributor 'Apple', version 10.3.2022 System Description: macOS 11.6 Configured using: 'configure 'CFLAGS=-O0 -g3'' Configured features: ACL DBUS GIF GLIB GMP GNUTLS JPEG JSON LCMS2 LIBXML2 MODULES NOTIFY KQUEUE NS PDUMPER PNG RSVG THREADS TIFF TOOLKIT_SCROLL_BARS XIM ZLIB Important settings: value of $LANG: en_US.UTF-8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t global-eldoc-mode: t eldoc-mode: t show-paren-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t indent-tabs-mode: t transient-mark-mode: t Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs rfc822 mml mml-sec epa derived epg rfc6068 epg-config gnus-util rmail rmail-loaddefs auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs password-cache json map text-property-search time-date seq gv subr-x byte-opt bytecomp byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils iso-transl tooltip eldoc paren electric uniquify ediff-hook vc-hooks lisp-float-type elisp-mode mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch easymenu timer select scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite emoji-zwj charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button loaddefs faces cus-face macroexp files window text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind kqueue cocoa ns lcms2 multi-tty make-network-process emacs) Memory information: ((conses 16 49678 8809) (symbols 48 6572 1) (strings 32 17870 1691) (string-bytes 1 591830) (vectors 16 12905) (vector-slots 8 177066 9811) (floats 8 21 51) (intervals 56 191 0) (buffers 992 10)) From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 06:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Daniel =?UTF-8?Q?Mart=C3=ADn?= Cc: 51105@debbugs.gnu.org Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.163376165120101 (code B ref 51105); Sat, 09 Oct 2021 06:41:01 +0000 Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 06:40:51 +0000 Received: from localhost ([127.0.0.1]:52235 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ62N-0005E9-2V for submit@debbugs.gnu.org; Sat, 09 Oct 2021 02:40:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ62L-0005Dw-8j for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 02:40:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48240) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZ62B-0000TT-72; Sat, 09 Oct 2021 02:40:41 -0400 Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:2697 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZ61y-0003of-8h; Sat, 09 Oct 2021 02:40:38 -0400 Date: Sat, 09 Oct 2021 09:40:09 +0300 Message-Id: <83bl3yya46.fsf@gnu.org> From: Eli Zaretskii In-Reply-To: (bug-gnu-emacs@gnu.org) References: MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Sat, 09 Oct 2021 02:30:33 +0200 > From: Daniel Martín via "Bug reports for GNU Emacs, > the Swiss army knife of text editors" > > 2) The root cause of the issue may be that s->nchars is 0 when it > shouldn't. Is there any legitimate scenario where the display engine > may call this routine with s->nchars equal to 0? If so, what are those > situations? I think if the glyph string has composition glyphs, nchars can be zero. What is the value of s->first_glyph->type in the case where it happens? From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 10:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Eli Zaretskii Cc: 51105@debbugs.gnu.org Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.163377401115400 (code B ref 51105); Sat, 09 Oct 2021 10:07:01 +0000 Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 10:06:51 +0000 Received: from localhost ([127.0.0.1]:52317 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ9Fi-00040K-QX for submit@debbugs.gnu.org; Sat, 09 Oct 2021 06:06:51 -0400 Received: from sonic309-24.consmr.mail.ir2.yahoo.com ([77.238.179.82]:39985) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZ9Fg-000405-Uf for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 06:06:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633774003; bh=Xfczk1Qe2Isq7VtF8oiJ2E5hS6/BIcQ37H8NvspKWk4=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=gPsigan+Q5XpKAPsSTODFTu/2704OQKYb7m0+7txhP7c+ZOkShoXDAqac5W7eLOGd3Rn7dLw4aLPzVQkTjleoOdFtnYIZGgyiOjRzXCOSYaBViDJ0xoK4ZEtBHcueVgjus4h8glcDWCU6x6a4BPYwHg2OKIpHJ3sN3NavL2Aysbc210mj69zu6a6aOTptrOWjAda+lq6tMaJ9j07AGYcMDjuhzfbxx852/D+peVwuf2U838736JJeJB08oU+YyZbkXh8Gu2re1zuniDBEgBjh2b5Q29Nl8Jkk3gioxprC8XiRJRmYIZmoRYs+SHvJh22g8DYTgEhBwuC+MqJk11vIw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633774003; bh=LznyBxAZlL8+tX2jx3OzcwV7jbtV4kK3nlcPTWXilGL=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=jiEjTrfHt931MTCVZd0mD5kIWovM8Dj3f0kvCFS43ras8seXFYWIV4N/vp6ITF/0kZ5j04DEwklk9F9lsK6mUKWQFHWI51UyI0hh/d0CshTJbS/Y/eG8ptfEjObBBIb7qH9TnQOcgEZ2I+AjOLEft42nBWc9H2BnuAQywfsFTZwDbxanxWXsv+t9GIMB4jy+zgJWD2qnoI6HH+vd5Qpi9/MvgJcyoVXCTH1SM/WGky34XYMp7tbmtevlsysK0yfo5a/6j1ZiQyj3cB+EtCZbsbgCQAEgMAW8ZRqfQ/dVAzpZgs6Qb73d/sKwN/wdaf+iY8L2AJnn5vV0UdEp0Bm+cw== X-YMail-OSG: CqWzhnwVM1la.wQMDffG8JoTnWKTTdvY_6iT7qKyrvAmHB1jiBraHuuwMlp3BA7 pj6S_tshs_PMKLzLFCcCUrjCQozcFyxg.1MoIIGSS8Ahx8MkNZSqO56f7.EHN3QRVyDDw1Ty473y NzL903pdt0dnvElrrYtFx3.rhgNYIzEaVTdIdGdL49wiLem9PMjwOFSnbkBZeVtHfF90CAXI6Ulh K6ATTCt7j70ojtctCSKh0wz3IONqVmk48JdRsxv0uexa3a2tB1wUYWWEd9BSDDT1dvYN8dWnMl7W .fQW4thg_5g76C9zJd6_aIRKBH3OoUy8xGde084Ha7CKMMkbv2XfNpBh6clF8L2X4X.tNRRuL5Gn inkZmjoO0Ns1pdVLc9HvFrSMrrAawor4LwwSIeGiIN.mNtmoqgPBUCYvE5Dr6LEc_40sArYamTvp IuiJQkvlOkaL6sYbqNKpCBnIxBWuqmmC2SF5j.1LWSJVMduueSUSTUBWfGSHds2zkltnPyH.6OOy VGBRuzlLJDDIkRuU.4LvUb3vd8F51YFyPOcgHWF2KxqEiAqHQxz0HXgm8oMq4G4HsRzLfhlMeQP5 xU1Skhi1CG8xYkNQwwaTEIiVILJQZwKnVFgQ_1_TCB6wOho6UKk_3YR3IMWwoFcFN3x_YREDxDgp xTdL4SxkKmUxgGwdSntw84BBDZe8KZWYlfBAztn8Yp6Y9qtjP7ZqQ8dkXmCp3hF97lDrDEkUOs6Z paXpdKPNC4EchJ_M2jIjO9rJhzWXEsDkPtTDhgTnQf3SPJ3iWKMtNXQeEU2gj6lZ00XFXmR2.b9O EX04SA2wGmz7peg2Gx_g27FKK2lQjNFs_eCA5EYYtRPnPRvESq4ApUCHFrzk9NtN6G_xr_cMdKGc FLueXroKVGSzskwFN9kVqgNm.40TLcLL8kIZM6SBLnVLf7o38mAX3tuJoqfnbk3LGmnz.Qn53NCk uO7KjZykSVj8pDs39pX3WZqIPGk.mFCP.mcg230BmV8poOvQdD9XS.extbF0mD4sIoVr5nvN418x AE8n9k.kkkO6JSRL2LkGTe5ESYgPX0QKzUQN4oGT3p3Ot._cJ.lY_BANXJVWFN0UCEvwD3N1zwEC s_LELJLWprREbLJCVzaPyILWa.YVPe.MBaTLZpVMak9BeOoLIr1Jkk8wpmtu8ga6HwosKME0xnYC JMDUPbVGJ.KEy4cWo_cvjVTEwkZAoNPX.KCWPrBXAjen8KsFlJLZZoV_rQD5oVxHiPysSFBFRh3T EFL7u3beV8bdWY_yGiZsH7kbKopIGKwg0uXoYRkoLba1dTzwRZoZzmcpxNJsZCWyqDCH2TypPZ2a xerEtmAx9UFhzUkm.n7q0b4hc3aU66mawl1_.PJxhEF7XHK_bfl3vZPRTZDmRMqCuB3M2Ryrcozt UgdUbZQ9c7JFdODSQU2BWCDQb9OVPsxzyQs80Y2JT8Ky3DI3IdrngiPdNsgoOMFVMywVXqOoBxxX Sy64Vc1GY7VpZsH73Uu965cexzV9A2kHHVMBNBpDog8gaCm3zX_52RFSWqH_D7u4JA2hc65EEk8X bJvTa0QU0o5vTnyoszNqP_tsBgyBh26pC_dk_ofnw0W0TblBwrHD6sxtrSPOqVEfjgfZyjm6QHa1 N9YuOi_7L5YtS8g1sYsl07MzgLc8y3BVeWocP0A3eBqUlX_vMS8t_XsCUCLXwnxuHdNiBQN_oCnL CD32FypmlYUOBQPHe8KcQzqQgCbEINmuvF851Nt8ERJ14V5efn3o.v42qxWlg8BdX3oezexfl9Zd JZQ1GwzDEYHPOU3VaI4gqhLMVH0ZkBmL06UZdpyWUaL0j.EIZW5GjlCqgBPlBaDiHEwllSWm4uHJ gRmZwRfZh2B.gBv8A1c6kqDtNdV7KhU1t7gCU6ksDOl_3Oxs4jvDJ2yrFAFK2E32YbCM1VtfusQC ejO8hJWz_b4obZB9r9pytF2Qa.Kw_a5ddmj0ID8TNP1uvTDjPzsWQ1kZheyOMDO6ux2kCmL_tP5O A9vtAjedo.76UzpMpbTgR3sPSu36klBVHTdjnDZClIjJHPoSiyEg9UHVFTal0kQXOWeENiAlZPJT Qn5rqddWCBdXhYqfXv7iArqHjQwkfWEBVlnLC27rbMYCZt9EEK.YeEfM1ffZmj2rd7.qLM2tfehf Mnx17wmN1MZ1HJYsTirXOvr.D_0ijLYb2lSBmVCiF35L0b22ZeBt2j1I7k8KysMGjHmWenxyMb9j qjC0EFUhTmdvg X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 10:06:43 +0000 Received: by kubenode527.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 4c2a9959af849393f228a3b0fdd67703; Sat, 09 Oct 2021 10:06:37 +0000 (UTC) From: Daniel =?UTF-8?Q?Mart=C3=ADn?= References: <83bl3yya46.fsf@gnu.org> Date: Sat, 09 Oct 2021 12:06:36 +0200 In-Reply-To: <83bl3yya46.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 09 Oct 2021 09:40:09 +0300") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 1602 X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) Eli Zaretskii writes: >> Date: Sat, 09 Oct 2021 02:30:33 +0200 >> From: Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, >> the Swiss army knife of text editors" >>=20 >> 2) The root cause of the issue may be that s->nchars is 0 when it >> shouldn't. Is there any legitimate scenario where the display engine >> may call this routine with s->nchars equal to 0? If so, what are those >> situations? > > I think if the glyph string has composition glyphs, nchars can be > zero. What is the value of s->first_glyph->type in the case where it > happens? Yep, it seems so: (lldb) fr v s->first_glyph->type (unsigned int:3) s->first_glyph->type =3D 1 I've found a 2006 commit that seemed to handle this particular pointer arithmetic logic for when the type of the first glyph is STRETCH_GLYPH: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D825de9a1027073beae= c38ab1572e9d954f8a1eb0 Now I think that the right thing to do may be to modify nsterm.m, switch on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call composition_gstring_width to get the glyph metrics. Function composition_gstring_width uses the values from fields s->cmp_from and s->cmp_to, and would avoid the buffer overflow: (lldb) fr v s->cmp_from (int) s->cmp_from =3D 6 (lldb) fr v s->cmp_to (int) s->cmp_to =3D 7 WDYT? I can prepare a patch of this type if you agree. I'll try to get the sequence of codepoints from the glyph string in the debugger, so we can have a reduced test case (ie. the exact string from the Wikipedia's front page that causes the issue). From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 11:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Daniel =?UTF-8?Q?Mart=C3=ADn?= , Alan Third Cc: 51105@debbugs.gnu.org Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.163377983217906 (code B ref 51105); Sat, 09 Oct 2021 11:44:01 +0000 Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 11:43:52 +0000 Received: from localhost ([127.0.0.1]:52408 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZAlc-0004ek-Ac for submit@debbugs.gnu.org; Sat, 09 Oct 2021 07:43:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43214) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZAlY-0004eR-4q for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 07:43:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:52452) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZAlN-0000Ri-9C; Sat, 09 Oct 2021 07:43:39 -0400 Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:1358 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZAlM-0006Nz-Sv; Sat, 09 Oct 2021 07:43:37 -0400 Date: Sat, 09 Oct 2021 14:43:18 +0300 Message-Id: <83v926whih.fsf@gnu.org> From: Eli Zaretskii In-Reply-To: (message from Daniel =?UTF-8?Q?Mart=C3=ADn?= on Sat, 09 Oct 2021 12:06:36 +0200) References: <83bl3yya46.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Daniel Martín > Cc: 51105@debbugs.gnu.org > Date: Sat, 09 Oct 2021 12:06:36 +0200 > > Now I think that the right thing to do may be to modify nsterm.m, switch > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call > composition_gstring_width to get the glyph metrics. Function > composition_gstring_width uses the values from fields s->cmp_from and > s->cmp_to, and would avoid the buffer overflow: > > (lldb) fr v s->cmp_from > (int) s->cmp_from = 6 > (lldb) fr v s->cmp_to > (int) s->cmp_to = 7 > > WDYT? I can prepare a patch of this type if you agree. SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I know enough about the NS display backend. From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Alan Third Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 13:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Eli Zaretskii Cc: 51105@debbugs.gnu.org, Daniel =?UTF-8?Q?Mart=C3=ADn?= Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.163378787224985 (code B ref 51105); Sat, 09 Oct 2021 13:58:01 +0000 Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 13:57:52 +0000 Received: from localhost ([127.0.0.1]:53895 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZCrI-0006Uv-EP for submit@debbugs.gnu.org; Sat, 09 Oct 2021 09:57:52 -0400 Received: from outbound.soverin.net ([116.202.126.228]:44975) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZCrG-0006Uf-Cq for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 09:57:51 -0400 Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id BDF98E3; Sat, 9 Oct 2021 13:57:43 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=idiocy.org; s=soverin; t=1633787863; bh=O0/uQxuAbBh4S2x5EVcsmwWOz3LnXUdUo14A47hJYgY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Qmgz82ghxqCYVWlFuTJ3X12OPLBPL1W2iQRMR3LIg1DVdBbBK8uMGhzivtFciwTr9 YHgCail/nJR+4ZGJ72taNKN98TZjZEOUduNNpy6YEVcfoAyxETjWd3GmWdqqs1zUd5 Kp1XQTvfsvq9m0DP+DujlGboNblPIY+ufNEjnaqn56uaE/t3N3U/lt4/XVu8v3hKIn bY4232w+k3wQ83y75d+V3CXkkyl41Wo+eSycAxdgUy87n0R4RXUqsOYZRBXmZ7aObX Yn6hz3B6bkPrio1uVcJiNGIPfKk0wGFNQuxfuOlclkLId554LF3oBFFDveDtShLYlO R0cz4pccw2v3w== Received: from alan by faroe.holly.idiocy.org with local (Exim 4.95-RC2) (envelope-from ) id 1mZCr6-000Bw0-By; Sat, 09 Oct 2021 14:57:40 +0100 Date: Sat, 9 Oct 2021 14:57:40 +0100 From: Alan Third Message-ID: Mail-Followup-To: Alan Third , Eli Zaretskii , Daniel =?UTF-8?Q?Mart=C3=ADn?= , 51105@debbugs.gnu.org References: <83bl3yya46.fsf@gnu.org> <83v926whih.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <83v926whih.fsf@gnu.org> X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote: > > From: Daniel Martín > > Cc: 51105@debbugs.gnu.org > > Date: Sat, 09 Oct 2021 12:06:36 +0200 > > > > Now I think that the right thing to do may be to modify nsterm.m, switch > > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call > > composition_gstring_width to get the glyph metrics. Function > > composition_gstring_width uses the values from fields s->cmp_from and > > s->cmp_to, and would avoid the buffer overflow: > > > > (lldb) fr v s->cmp_from > > (int) s->cmp_from = 6 > > (lldb) fr v s->cmp_to > > (int) s->cmp_to = 7 > > > > WDYT? I can prepare a patch of this type if you agree. > > SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I > know enough about the NS display backend. I don't know much about this part of the code, but it sounds good to me too. -- Alan Third From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 19:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: Alan Third Cc: 51105@debbugs.gnu.org, Eli Zaretskii Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.1633808138609 (code B ref 51105); Sat, 09 Oct 2021 19:36:02 +0000 Received: (at 51105) by debbugs.gnu.org; 9 Oct 2021 19:35:38 +0000 Received: from localhost ([127.0.0.1]:54150 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZI8A-00009l-9c for submit@debbugs.gnu.org; Sat, 09 Oct 2021 15:35:38 -0400 Received: from sonic314-20.consmr.mail.ir2.yahoo.com ([77.238.177.146]:39046) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZI85-00009V-VY for 51105@debbugs.gnu.org; Sat, 09 Oct 2021 15:35:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633808128; bh=B633MqT/8968BLrOjq37iCz9d5Y3zJahHivgRdTOdaQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=c5S6pijiOqnjWD1u2saCZdT/JIlw5zen6fKHcmvpB/73X6KnybfyvGoROgnTFAkBcFJMVVQ/EOfxwvb8UQt5Lhw0omze4Nob/8Klnrysj1R4PX3wC8JkUy1QANXPx9TY32RUqNIKVKEh/xSX1ZzTFkv+qltXXR/nLm4WyycJOsusn8N1QVkQ7NIVL30NzN5rsY6+Ea1R5kbTcgwbZr/xCcYpMR1KHAnwH9nrvKAN5ZX4Wmk/D2ockXXlCtRSwY78zI00kEotci1egiwx8m8Mb5VAD8ked6nHhFBNkJ14esGNTIH06N39FWgfexxgW9ddX1mmZu1AWoL0C81PjGJ0vA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633808128; bh=m0NSrUOGnsi24lQA4D+g1mZileZUnf8lAWalwfMVS/E=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RuzGO74SK2eYo9X9MeQUnqxMgwBLTDEyN/01+iq9vW4xCO3eYgn/NwlS48zpj0GPDY9varltV8aMhjmjS/G2Topf8d34V07MJ5X0AW9U0+DrqWdef6cTde49PJer4+jLwFV113nsQvAEISnCC0pRrzbvi3g3JEjTH8YARasVwKWGJd7nbbtVcj+Yut4nYOcZuqyhiSjaKHh4X4nLj/CSlsBxuU0NE3ohL1WWXnA7LAIPWOomfZC2pHGROyT2rnnp4AuTSxefENiBCoc6g4XLJUWUSvDXcA4nmJjadkALu9gD9YSHO5/RzyXJE/7h1RHXDuA2p+1XaHR0xmqyTTAdGA== X-YMail-OSG: GFLsVwAVM1l0DYSFOiJoPYzAttUv1A5UmoXb3H1GtMTD.q7i7IpBAM0qas7O_2R llbY2PzZUpWl2cYAqe1DxdneicWP_BLtfClTJHkq42TLA4mDjUUQ90LnUSc_WxYVK12CsMNbVu.4 HoYFK1OrnxB097eM3WwL9zbq0eDDkc6Fxeo1g7glQAWchaDJRcyQWAAzYRpy9ZHm6_dea4oj4TS4 saQtJ4bU1oGssj0d7vBEl4bfqdAmjxcFRKFCEgrJN3_mk0hldA9SJnv_euHzjBYcfoaPse6S.lug WyMxGqTZeANnjdp26UTIYkPUpDbOQ1K1DlWGQbi89a8_6CvjhczKNKi5.RfVPGWQL6Dm3GpLd4We uUDGzWF5AtO9kdqALlwMiaesQKAjw4IHl9_AZQbTu8gH2wjKJ8bXX0wcHBjrzs4lCYfbVo8DBxlQ akotZRRuxqiLZvQJTs.U_PGyjkzGbuRd4zKe_x3jEg7mOsrD8MwlJvMfkOpSQZ1.PqARX7oCAg2N hlVdDh6NT3.thr_I8Apmf3L2R4UNXWH_LnMEk4rTklO.j4fWwJOmjpTngdIZ4utuZVJ5m9qPsrI. iQ98ZRIZIqKmtgnFJysbCbI7UiYJ3QhwsfR4B4DDLMbsu03u_La5BaURDiy0SNda15ttL6wCF87i _VBC2.mGMqfgEOQXuq3uq1.db3cGFRXyGGoHktd55IYmndERnBsUxUi9acsXrj51vsJ2.y1ZMAVm wXlh9IJGJ868GPBokzgzeV3GhNxjen6l2H4m5qBDfz_ZJf1f_Lab6uRcNugLdaj50lv_0PWTwOUi MSfs7gyplnV1lM2C3EHbFVWJPaX4yoc7PAwDMSU3cN6AU65WfKSW_veO1DalAxojWsxyxl.jqNRK 27QxhsjlD7jaFfwKr8hRCv1euZkSNBaMe5LrKBGgDuKy8RN_6e8_ukp78tGEcfVetXEeUvitGm6j Bkr5vCgRNHLXk9TbN5HzPhq.FWWcZyJAKlGzWiPS6JjYGGv7rvUKG9ntgLMV47hfCHwR0G0V9IDK Cn.ze_gdGJ527QNvV8WPWYffzDxrpOd8jezn19s0tcYbHTcaciACkuolsIVmvtI_9QIW.9G1dWTe muusxCMF1vx_gfLlbfQbPd6faHUqN9NVUeLAJfpSdPcA2ffApTO1vH31kGGHupELYbwrQ9xJpXoY kQlawSixvMrj2l35u14i4bwmqBpo0pVU6iMJGO70bHAWi_hYUV0RvhcaixebzxFn7f5AX_31HHjS LRv8JDUkOq9WesgMH01QhkVC0C0WIZpDzzXkHa3ZgWEj7WvXWhMe1dCCuYdJUUlQepRK1WT5CkAC BQScMsydvRU_Tt1eGy1iyZqWalXmaJ8Av6PWWYVjJSPSUkqANP9a3gesh1HkNjeP24mNNzDm6Fms uJ9WJxbozCQ0QzYaiQ5e6smDhRkrZSEpeinOAQjEgd6nPxeeZC_pMYPkTkrBF8UIzMxryJR8hlp2 EhbeCxiHNwmxx1MSR2U4etykO8gPP1fDlj40mmJIjMXGlkqtEW0Zo8.HHakgCB0xvknKGDTm4hYr yowzuZvEH0YVsFAXVLNxyCkVu2ZvnRB8VfauwK0lfs0XvgyugT_W0vQUXTRqFuAT7GM3Vzma_DGb ePyQCTwoeny0PukYchK5ZdhIQ.KFABYVci6mq3m4d_0dnDniQUSk.wrq7qBpp1vwTZZ2HVI5q_r3 8KtBqyWB1uIyG7_7Mk5gglq8BbKLNHharjqWCdBJoVvmSTAKkYD4fFb6eoqP48TBLQrL9FF67rKr HWHMuZx1EEQKIV5F5ay7U4nAPtZmeDLwW_qq1AZw6yqr..I3cT.3wazYvrLSXoov7RVknMPZmp7B GSuK4lkjUD9AiWVYwAtgOZ3yvPE93dUWp8uNoQykF7opLCOovUI5EmkqckGklrOKx9B_i90nNvnF R7JlJu6R3G7sXLxRQ7ak12N3FjB.0JlIesD9Og3B1DBhC.FyC2XmHfIPzbFoG4B_n.C3f4HbN5Cv 4Cc0nex_CvhMfryT8X7xNmz2lRdAey4NpJs0Nsulkhdau_f.2Gg7Bx8haD075OAdbWHHF0OyVToJ xgDbkwUxjw4_gTdjiGHa65rycXlXErEC3bGiu6eNIwPQ5H4ssoVJlnzecC1E8IF6vtZb2rmu_93j y1hE0x6QGQXiiPg7ai5C01VZAL020_Z9Tp8KAp6PDEnbnnRIhOXC6ZzDdj0jNnClfQV25qf_7CNC SaqcnQSJnmpU- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:35:28 +0000 Received: by kubenode521.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID c005fc59c7ded80b59c22b633a87c38d; Sat, 09 Oct 2021 19:35:23 +0000 (UTC) From: Daniel =?UTF-8?Q?Mart=C3=ADn?= References: <83bl3yya46.fsf@gnu.org> <83v926whih.fsf@gnu.org> Date: Sat, 09 Oct 2021 21:35:22 +0200 In-Reply-To: (Alan Third's message of "Sat, 9 Oct 2021 14:57:40 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 3951 X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Alan Third writes: > On Sat, Oct 09, 2021 at 02:43:18PM +0300, Eli Zaretskii wrote: >> > From: Daniel Mart=C3=ADn >> > Cc: 51105@debbugs.gnu.org >> > Date: Sat, 09 Oct 2021 12:06:36 +0200 >> >=20 >> > Now I think that the right thing to do may be to modify nsterm.m, swit= ch >> > on the glyph type and, if the glyph type is COMPOSITE_GLYPH, call >> > composition_gstring_width to get the glyph metrics. Function >> > composition_gstring_width uses the values from fields s->cmp_from and >> > s->cmp_to, and would avoid the buffer overflow: >> >=20 >> > (lldb) fr v s->cmp_from >> > (int) s->cmp_from =3D 6 >> > (lldb) fr v s->cmp_to >> > (int) s->cmp_to =3D 7 >> >=20 >> > WDYT? I can prepare a patch of this type if you agree. >>=20 >> SGTM, but I'd like to hear Alan's opinion as well, as I don't feel I >> know enough about the NS display backend. > > I don't know much about this part of the code, but it sounds good to > me too. A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8= =B9=D8=B1=D8=A8=D9=8A=D8=A9" in the *scratch* buffer. I've attached a patch that fixes the issue. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch >From 23897a25d7ddebc06ab855058d36a5e291e5cba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= Date: Sat, 9 Oct 2021 21:10:20 +0200 Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs * src/nsterm.m (ns_compute_glyph_string_overhangs): When the first glyph of a glyph string is a composite glyph, `s->nchars' is 0, so "s->char2b + s->nchars - 1" dereferenced a position before buffer `s->char2b'. Instead, rewrite part of the function to distinguish between character glyphs and composite glyphs. For character glyphs, calculate the font metrics using the `text_extents' function, passing it the entire glyph string; for composite glyphs, call `composition_gstring_width'. (Bug#51105) --- src/nsterm.m | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/nsterm.m b/src/nsterm.m index a6c2e7505b..e616766ec7 100644 --- a/src/nsterm.m +++ b/src/nsterm.m @@ -2848,20 +2848,27 @@ Hide the window (X11 semantics) External (RIF); compute left/right overhang of whole string and set in s -------------------------------------------------------------------------- */ { - struct font *font = s->font; - if (s->char2b) { struct font_metrics metrics; - unsigned int codes[2]; - codes[0] = *(s->char2b); - codes[1] = *(s->char2b + s->nchars - 1); - - font->driver->text_extents (font, codes, 2, &metrics); - s->left_overhang = -metrics.lbearing; - s->right_overhang - = metrics.rbearing > metrics.width - ? metrics.rbearing - metrics.width : 0; + if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p) + { + struct font *font = s->font; + font->driver->text_extents (font, s->char2b, s->nchars, &metrics); + s->left_overhang = -metrics.lbearing; + s->right_overhang + = metrics.rbearing > metrics.width + ? metrics.rbearing - metrics.width : 0; + } + else if (s->first_glyph->type == COMPOSITE_GLYPH) + { + Lisp_Object gstring = composition_gstring_from_id (s->cmp_id); + + composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics); + s->right_overhang = (metrics.rbearing > metrics.width + ? metrics.rbearing - metrics.width : 0); + s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0; + } } else { -- 2.31.0 --=-=-= Content-Type: text/plain Let me know if you like it and please install it on my behalf if so. Thanks. --=-=-=-- From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Daniel =?UTF-8?Q?Mart=C3=ADn?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Oct 2021 19:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 51105@debbugs.gnu.org Cc: alan@idiocy.org, eliz@gnu.org X-Debbugs-Original-To: Daniel =?UTF-8?Q?Mart=C3=ADn?= via "Bug reports for GNU Emacs, the Swiss army knife of text editors" X-Debbugs-Original-Cc: 51105@debbugs.gnu.org, Alan Third , Eli Zaretskii Received: via spool by submit@debbugs.gnu.org id=B.16338085311266 (code B ref -1); Sat, 09 Oct 2021 19:43:02 +0000 Received: (at submit) by debbugs.gnu.org; 9 Oct 2021 19:42:11 +0000 Received: from localhost ([127.0.0.1]:54167 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZIEU-0000KF-NX for submit@debbugs.gnu.org; Sat, 09 Oct 2021 15:42:11 -0400 Received: from lists.gnu.org ([209.51.188.17]:50702) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZIEQ-0000Jy-B6 for submit@debbugs.gnu.org; Sat, 09 Oct 2021 15:42:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58364) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZIEP-0005Zd-CT for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:42:06 -0400 Received: from sonic313-21.consmr.mail.ir2.yahoo.com ([77.238.179.188]:40389) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZIEN-0001Iw-LP for bug-gnu-emacs@gnu.org; Sat, 09 Oct 2021 15:42:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.es; s=s2048; t=1633808520; bh=mezjEi0afG9ZiSQCT0OnaZHP+WCx7HUW+DkylDmTZTo=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=L6FuRCiLqavcbYOuU48bPa2xI4BUMavz9XZRXuNcX81W7pyqCYbwb7uojTiUeren3rg8mJnEGrygFiPWrYQLVe42bBhuppRgvvLk1btTXUow5UKnhu4nGLwnwP/5eRU7ZtuoKY46BnLyCYmvHjHuz0Kou0Z8DXrBPt/U9ilaD9Rg5VFVXqaWeURs/1yu14h2wfImXoKQJBdQ3kXfb4BO62h0YrtCOVQONzyRLTSO8b01ZrT+6xfWBpjKk5gp0JpL1M9iHMi3mIBg3XFVQOnmBFd7UyYw/LZOaSQq6754uvMMMN1yfao666IZf96sg5Q4z33cZYbbV3gvE7TCgKRWKg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1633808520; bh=ed4ZOroqiGuGfZhzENx38+9ISvQLofAjoRmf+wMwS6K=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=XRX5ygT3mGQcHXhCqEAqLWDxlguztggl6QSoBNYWM/VP3WactZjdrYXRKgUQJwj3mwgX/XRSVj5H66DrvtsjuklIZVmEzEm6ONc+FpGlFvxeIiQw9b15mI/oYYBQKSkZzPeGRPv4JuC/wn0eo1B5hb0OPInP4MZSkTcNYRwdYeIHu/pz6McFO2ps5CfjabTHRe0SX97b+Q4g8xVMFRtoa4JBlLyxUFDis8Q5JRAW7sHERW7m9vksz5P5p/KePDeYXr9xCbY9jqr8oPy46u7wBnDSIO8cOeorj6HZumlWt0Cc5gjuSSUSLnAIjEea1orl9qFgG5gWBxSkcXighOUhdQ== X-YMail-OSG: F3RXCQcVM1n_hkojpfDDzBJ5XDrlqe3WJSJ8ym8cOLN8O6HCZY8XR4TkNE1JpwO 8mmetAi_RFwN6_41bC78ocJBZud6Z2hvNjQik.l.8SWLHoRafksGFJCaCkN3RGMVfK9uNf_hJc6t JPUsh8ItV.4xsMw5sqJVuSxlbHKdDfROfq9s_fW6JiW6iFFc5KCzb4v9N191OJVyjIyl3Rj2zpjP QouhHc5Jnbkjcr4xj1v2bjnvizW8mngKDLvsO39WJQchkHP_onK2SmMFF12AiAe3iZHjXsSp2iAR jBlFwMKoB4QKkpJVv_bPKAIrbPllhfoz7PZG_D9okzqAOwViMgzODg8G6o5PTppL6Q5eAorOHumN i8Fa6jJqCnLvxYRQMAoOd4o4m0u.2Nvw_JQPhDGu7h6xfSO4q53WPNYhZw1rHV3qp7rwzMWl1EjW 9BvqH3uwQoO4XRp7Zf.NgzD6flUJTTlvMDen_0hPrufk2m_i_gqrW7ji0CUH9_PTae.26AGACXv8 xW5ALl7tRUi6LmSmTRLn6lyaAku2ULKxErgz9HHwXDGFDqsHllnfQQydnePS94jWMoEKtpJ6.ziH EhVso_FV2NH4kriyTMe90_IWRwePnM1HNadlKf_CwjdXRIuFxHJOqWwhL6NTQ.xbydEyE7kcelQl VanwfxTTmc6B8iAWqmivacykRVuBC3yyHuznqN8ziHDnLSb8VNrMkz3QVyqjnadeTqtSOlwQLZlV uWp_NePacXTg6L3mRjMwEWmdiR8HzDzB5AeGZKqdAFMAxi.0SHXYOFCVD73XcIwsdZbX2rSrK6b0 AcTe4HfFhn_r7uYXAnX_n4G2y7vX_0CLudm2HIZngVfo5xiKKfK4WrRywdqD3kxbTRv3T6OfF.9m cm8EzXxTNzIIeLnOSvGym1kBycjlGNatWxHieFYhJlSXARaAHPHfBWfIHsZp7Xluu3AnyxQQLTQM Wg6ODpjMpWyHmGCc5ZudRnBKgv.tVjCaI4EVmIgPaz4hT2dnlRPAdxf7hLGAvGIKRMdVCSsM2xr7 I9Lk2kH.Vh.jAfJk6Aiuc.v3rMl0kKLGZRUzvaWR1_rTOQ_FTQPPqkbW13IqWq_2NXj1GyCH06HV MFJKO0wrPHWcu.ZMxR4S0vPJwV9oXLwaQMin4j2bkFpvsRp5l7XBnpeTNnByoH9N_iXUFvg6qdTK 3J3W4Gng3GR4Y29EuU0kZMCMSJDi_BljMyeLIU8IzZtS8ua1TkREMIXtLfbFZrMmG46U6JsAmWDy 4wH_A.ceHi7.3uHDVelNDNnGMooMSmvrtuaAly8aPTc6xeiYpMx0uh9nktyvU7flFQXelQ03DSTf hIxhocMZ.pTXWrd0eOHKQI3zWiP.wYTXqxIHi4X4s_JTQTG3jLw5r.QpHlqrPywwy2bFqruv.2fM ap54XIQDbbqlk6SPCLgn5UmPysJJIAAfYhn0pFNkyN62iiCinP3M7hWPLND3JBSl5chSzLkyUy_0 HL34KaKQC.mSIH6DT8WCy45mOuYUKhsQy7_kZVJxRKniJEWqzK3XSc5xoxB7NQG9S5w8hcAAkz3k ZOtrrI1ho7vxs9xi75TizEoxJQ_mOTuSpDWtTolAmycB9psV6OABs2bGWSV8KQIS5IkuIL75pRXI gsQ6ofrfPr8cDsj0pRS2hvxijcx02E5uPMwvJnd1ERKNPIyRqe6_CApjulQm6HDyuTIASqqESkpt pJoIdp5k.5FNwEWSFFm34kf0Rxcz7fCmuGnQI3lD8CIhWZ7wg0h1c4WJy0T1NC6idCAZzPbtPocV bDvmQU23Jg3HCXVJI98qyMjNs46zFEfrPxVR9CP3UyspW8h7rD2f5tNmI65pCmRaC4cjD_CIMvkT nQo5Vj._mEy6Kv6X9FEPG46_ZQa3ChyTdvQUqhuZhJtKzbVryOLx01UgGszUk3LC6rl1mZYVQYKO ib99sQ4k06NTqZzS9hPRGoJOdf3w.1gmzb6okp8vBAdXR_bV9jCuB7.ay7POehlKbY7gErqpbvb3 IiZD2Gk.oH4kpQxC6wR0H_UUfFoSQpAlH_.x29Gh658YnMjUg46ZTNysnah7Be1jpF_vQsIQGKn5 scbdasI3EyBU0ZuXmR44zcXQVe8rSjsdyDgMegKkDxpMOOiVU6EQVMVtKLsKnLJEkUqiBqVfe.da mY5U28qpYAF7y3.8kWuQxFYTMMxcTT.wo3a1k1Sl26_wJuVOHgAEK5SsAqAT2PBznZL09B2xuKXh C1qt5D684p7iMug-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ir2.yahoo.com with HTTP; Sat, 9 Oct 2021 19:42:00 +0000 Received: by kubenode534.mail-prod1.omega.ir2.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 8407a3ebbcb93664e4a88831d1761cc0; Sat, 09 Oct 2021 19:41:58 +0000 (UTC) From: Daniel =?UTF-8?Q?Mart=C3=ADn?= References: <83bl3yya46.fsf@gnu.org> <83v926whih.fsf@gnu.org> Date: Sat, 09 Oct 2021 21:41:57 +0200 In-Reply-To: ("Daniel =?UTF-8?Q?Mart=C3=ADn?= via \"Bug reports for GNU Emacs, the Swiss army knife of text editors\""'s message of "Sat, 09 Oct 2021 21:35:22 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Content-Length: 3208 Received-SPF: pass client-ip=77.238.179.188; envelope-from=mardani29@yahoo.es; helo=sonic313-21.consmr.mail.ir2.yahoo.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Daniel Mart=C3=ADn via "Bug reports for GNU Emacs, the Swiss army knife of text editors" writes: > > A reduced test case to reproduce the problem is to paste "=D8=A7=D9=84=D8= =B9=D8=B1=D8=A8=D9=8A=D8=A9" in the > *scratch* buffer. > > I've attached a patch that fixes the issue. > > > > Let me know if you like it and please install it on my behalf if so. > Thanks. Sorry, there was an indentation problem in the previous patch. Here's an updated one. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-Fix-buffer-overflow-in-ns_compute_glyph_string_overh.patch >From 1f64cf0bb78b77570d60f70c2e2342c2293a5ffb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=ADn?= Date: Sat, 9 Oct 2021 21:10:20 +0200 Subject: [PATCH] Fix buffer overflow in ns_compute_glyph_string_overhangs * src/nsterm.m (ns_compute_glyph_string_overhangs): When the first glyph of a glyph string is a composite glyph, `s->nchars' is 0, so "s->char2b + s->nchars - 1" dereferenced a position before buffer `s->char2b'. Instead, rewrite part of the function to distinguish between character glyphs and composite glyphs. For character glyphs, calculate the font metrics using the `text_extents' function, passing it the entire glyph string; for composite glyphs, call `composition_gstring_width'. (Bug#51105) --- src/nsterm.m | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/nsterm.m b/src/nsterm.m index a6c2e7505b..e8e08640c6 100644 --- a/src/nsterm.m +++ b/src/nsterm.m @@ -2848,20 +2848,27 @@ Hide the window (X11 semantics) External (RIF); compute left/right overhang of whole string and set in s -------------------------------------------------------------------------- */ { - struct font *font = s->font; - if (s->char2b) { struct font_metrics metrics; - unsigned int codes[2]; - codes[0] = *(s->char2b); - codes[1] = *(s->char2b + s->nchars - 1); - - font->driver->text_extents (font, codes, 2, &metrics); - s->left_overhang = -metrics.lbearing; - s->right_overhang - = metrics.rbearing > metrics.width - ? metrics.rbearing - metrics.width : 0; + if (s->first_glyph->type == CHAR_GLYPH && !s->font_not_found_p) + { + struct font *font = s->font; + font->driver->text_extents (font, s->char2b, s->nchars, &metrics); + s->left_overhang = -metrics.lbearing; + s->right_overhang + = metrics.rbearing > metrics.width + ? metrics.rbearing - metrics.width : 0; + } + else if (s->first_glyph->type == COMPOSITE_GLYPH) + { + Lisp_Object gstring = composition_gstring_from_id (s->cmp_id); + + composition_gstring_width (gstring, s->cmp_from, s->cmp_to, &metrics); + s->right_overhang = (metrics.rbearing > metrics.width + ? metrics.rbearing - metrics.width : 0); + s->left_overhang = metrics.lbearing < 0 ? -metrics.lbearing : 0; + } } else { -- 2.31.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 11 10:18:22 2021 Received: (at control) by debbugs.gnu.org; 11 Oct 2021 14:18:22 +0000 Received: from localhost ([127.0.0.1]:60577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZw8E-0004NO-Ik for submit@debbugs.gnu.org; Mon, 11 Oct 2021 10:18:22 -0400 Received: from mail-pl1-f178.google.com ([209.85.214.178]:40862) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZw8C-0004Mz-UI for control@debbugs.gnu.org; Mon, 11 Oct 2021 10:18:21 -0400 Received: by mail-pl1-f178.google.com with SMTP id v20so4342057plo.7 for ; Mon, 11 Oct 2021 07:18:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:date:message-id:subject:to; bh=SjKRz7ObineQvKorZ8pj57Z0s+AtgY1ueDBl8haSfqQ=; b=x5W8yiH936NvhedXhQlbpbVxPYVX5M7vqmYGXMnbQ/eq5qa+uv8FARinJV6HrmCJFM 9pRVB1w7vwEGeAn8xXJOSCACQdnuStEo+TTPGlAzKmonns/ecte8GzCCC3vIVrE03v+t AdzRIc2JOC/Fi6d8a9YkREm8bxSjM61aEU/DR2rEu3t1o2spwdb2SUPL8x3TXLf0nj/U 4n+svKOEzEQqkzo5cCSXhFCCtVS8WEjN3TOjeJe19PJU8JZO9j/sgrCJrzZ4f5afhAnu 9ovnw7IsLGIsRCTZJk2t70/XowUNpDW2l/yFsAqt2k/EMYkB5xP3qdt/TtKVPUveDyou pi7w== X-Gm-Message-State: AOAM530+FLD7eE9jx1kT3EQJ5bWo3QrhM/SihOkisAZ5zlP87jIL/Z91 pA401o5MKnbqdF2foVtBCxdaZQ3KiGVnjDWABRrFeDgNkzk= X-Google-Smtp-Source: ABdhPJzNlmt+VYTqte38EbwSbv5BD1km+yVuOHTXMa+I2c2s+TCVqZK5SgV7flqFz7CwbX65BJQRmyxl328GHareGhk= X-Received: by 2002:a17:902:6b07:b0:13e:d5ba:3d8f with SMTP id o7-20020a1709026b0700b0013ed5ba3d8fmr24852552plk.32.1633961895147; Mon, 11 Oct 2021 07:18:15 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 11 Oct 2021 07:18:14 -0700 From: Stefan Kangas MIME-Version: 1.0 Date: Mon, 11 Oct 2021 07:18:14 -0700 Message-ID: Subject: control message for bug #51105 To: control@debbugs.gnu.org Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) tags 51105 + patch quit From unknown Sun Jun 22 00:55:25 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51105: 29.0.50; Buffer overflow bug in ns_compute_glyph_string_overhangs Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 05 Nov 2021 02:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51105 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: Daniel =?UTF-8?Q?Mart=C3=ADn?= Cc: 51105@debbugs.gnu.org, alan@idiocy.org, eliz@gnu.org Received: via spool by 51105-submit@debbugs.gnu.org id=B51105.163607996328369 (code B ref 51105); Fri, 05 Nov 2021 02:40:02 +0000 Received: (at 51105) by debbugs.gnu.org; 5 Nov 2021 02:39:23 +0000 Received: from localhost ([127.0.0.1]:44107 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mip8V-0007NQ-FH for submit@debbugs.gnu.org; Thu, 04 Nov 2021 22:39:23 -0400 Received: from quimby.gnus.org ([95.216.78.240]:34138) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mip8O-0007N0-VR for 51105@debbugs.gnu.org; Thu, 04 Nov 2021 22:39:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pRfCDIZ+J64hP1tY6T/ptIvsGAq6OvMRud31E6vqNXk=; b=ZkqLgZ9mAWsXVtvRz0d1cgXsZZ IkabZ+F1t+K3fLU9MShuDeahYlXEDthdln23lvwOOqEtfKl4NT/cyHYcwWKNLilmT62SfwWyj2hfh +v0LHjxPrwJCVbC2mAutVyiYezDHGb5lrjDbNH8D2Q7puGJj4++q2EQ1cuoQqcA4oXJk=; Received: from [84.212.220.105] (helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mip8B-0000HX-81; Fri, 05 Nov 2021 03:39:05 +0100 From: Lars Ingebrigtsen References: <83bl3yya46.fsf@gnu.org> <83v926whih.fsf@gnu.org> X-Now-Playing: Fire Escape's _Abandon Head_: "Goodbye Archetype" Date: Fri, 05 Nov 2021 03:39:01 +0100 In-Reply-To: ("Daniel =?UTF-8?Q?Mart=C3=ADn?="'s message of "Sat, 09 Oct 2021 21:41:57 +0200") Message-ID: <8735obnx6i.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Daniel =?UTF-8?Q?Mart=C3=ADn?= writes: > Sorry, there was an indentation problem in the previous patch. Here's > an updated one. It seemed like Alan agreed with the fix, and I tested it now on my M1 Apple laptop, and it didn't break anything obvious, so I've now pushed Daniel's patch to the trunk. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Daniel Mart=C3=ADn writes: > Sorry, there was an indentation problem in the previous patch. Here's > an updated one. It seemed like Alan agreed with the fix, and I tested it now on my M1 Apple laptop, and it didn't break anything obvious, so I've now pushed Daniel's patch to the trunk. --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 04 22:39:23 2021 Received: (at control) by debbugs.gnu.org; 5 Nov 2021 02:39:23 +0000 Received: from localhost ([127.0.0.1]:44105 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mip8R-0007NF-JL for submit@debbugs.gnu.org; Thu, 04 Nov 2021 22:39:23 -0400 Received: from quimby.gnus.org ([95.216.78.240]:34144) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mip8P-0007N2-Vw for control@debbugs.gnu.org; Thu, 04 Nov 2021 22:39:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dVHgiaFYpubHhHGgaMfTYQ7LTqtCKwdrzyM/BNvi2AY=; b=DptLYusjoJ45ls41T6bzusG8rI l8YiO1uQnoIOSvfFe0riyjpwVQU/A5MTAuYJ6DxN6yZ52LhWZ6b3jmd5BuidmFfPUGqRYcGxGbR4P XoGEEAhZp0PKHWPee/QkIS370Mi5e5ToL3fAxBr9DzNSzN4t8Lm3+JwPOnBKSPtmYDjs=; Received: from [84.212.220.105] (helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mip8I-0000Ia-0n for control@debbugs.gnu.org; Fri, 05 Nov 2021 03:39:12 +0100 Date: Fri, 05 Nov 2021 03:39:09 +0100 Message-Id: <871r3vnx6a.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #51105 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: close 51105 29.1 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) close 51105 29.1 quit