diff --git a/ChangeLog b/ChangeLog index 46a27661a..b6a419db6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,21 @@ +2014-02-26 Wermer Lemberg + + [bdf] Fix Savannah bug #41692. + + bdflib puts data from the input stream into a buffer in chunks of + 1024 bytes. The data itself gets then parsed line by line, simply + increasing the current pointer into the buffer; if the search for + the final newline character exceeds the buffer size, more data gets + read. + + However, in case the current line's end is very near to the buffer + end, and the keyword to compare with is longer than the current + line's length, an out-of-bounds read might happen since `memcmp' + doesn't stop properly at the string end. + + * src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons + stop at string ends. + 2014-02-17 suzuki toshiya [autofit] Fix `make multi' compilation. diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index c9e231ea1..b0ec2924b 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1409,7 +1409,7 @@ /* If the property happens to be a comment, then it doesn't need */ /* to be added to the internal hash table. */ - if ( ft_memcmp( name, "COMMENT", 7 ) != 0 ) + if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) { /* Add the property to the font property table. */ error = hash_insert( fp->name, @@ -1427,13 +1427,13 @@ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ /* present, and the SPACING property should override the default */ /* spacing. */ - if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) font->default_char = fp->value.l; - else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 ) + else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) font->font_ascent = fp->value.l; - else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 ) + else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) font->font_descent = fp->value.l; - else if ( ft_memcmp( name, "SPACING", 7 ) == 0 ) + else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) { if ( !fp->value.atom ) { @@ -1491,7 +1491,7 @@ memory = font->memory; /* Check for a comment. */ - if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) + if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) { linelen -= 7; @@ -1508,7 +1508,7 @@ /* The very first thing expected is the number of glyphs. */ if ( !( p->flags & _BDF_GLYPHS ) ) { - if ( ft_memcmp( line, "CHARS", 5 ) != 0 ) + if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); error = FT_THROW( Missing_Chars_Field ); @@ -1542,7 +1542,7 @@ } /* Check for the ENDFONT field. */ - if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) + if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) { /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, @@ -1556,7 +1556,7 @@ } /* Check for the ENDCHAR field. */ - if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 ) + if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) { p->glyph_enc = 0; p->flags &= ~_BDF_GLYPH_BITS; @@ -1572,7 +1572,7 @@ goto Exit; /* Check for the STARTCHAR field. */ - if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 ) + if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) { /* Set the character name in the parse info first until the */ /* encoding can be checked for an unencoded character. */ @@ -1606,7 +1606,7 @@ } /* Check for the ENCODING field. */ - if ( ft_memcmp( line, "ENCODING", 8 ) == 0 ) + if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) { if ( !( p->flags & _BDF_GLYPH ) ) { @@ -1792,7 +1792,7 @@ } /* Expect the SWIDTH (scalable width) field next. */ - if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) + if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1808,7 +1808,7 @@ } /* Expect the DWIDTH (scalable width) field next. */ - if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) + if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1836,7 +1836,7 @@ } /* Expect the BBX field next. */ - if ( ft_memcmp( line, "BBX", 3 ) == 0 ) + if ( ft_strncmp( line, "BBX", 3 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1904,7 +1904,7 @@ } /* And finally, gather up the bitmap. */ - if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) + if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) { unsigned long bitmap_size; @@ -1979,7 +1979,7 @@ p = (_bdf_parse_t *) client_data; /* Check for the end of the properties. */ - if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 ) + if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ /* encountered yet, then make sure they are added as properties and */ @@ -2020,12 +2020,12 @@ } /* Ignore the _XFREE86_GLYPH_RANGES properties. */ - if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) goto Exit; /* Handle COMMENT fields and properties in a special way to preserve */ /* the spacing. */ - if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) + if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) { name = value = line; value += 7; @@ -2089,7 +2089,7 @@ /* Check for a comment. This is done to handle those fonts that have */ /* comments before the STARTFONT line for some reason. */ - if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) + if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) { if ( p->opts->keep_comments != 0 && p->font != 0 ) { @@ -2115,7 +2115,7 @@ { memory = p->memory; - if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 ) + if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) { /* we don't emit an error message since this code gets */ /* explicitly caught one level higher */ @@ -2163,7 +2163,7 @@ } /* Check for the start of the properties. */ - if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & _BDF_FONT_BBX ) ) { @@ -2192,7 +2192,7 @@ } /* Check for the FONTBOUNDINGBOX field. */ - if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) { if ( !( p->flags & _BDF_SIZE ) ) { @@ -2223,7 +2223,7 @@ } /* The next thing to check for is the FONT field. */ - if ( ft_memcmp( line, "FONT", 4 ) == 0 ) + if ( ft_strncmp( line, "FONT", 4 ) == 0 ) { error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -2258,7 +2258,7 @@ } /* Check for the SIZE field. */ - if ( ft_memcmp( line, "SIZE", 4 ) == 0 ) + if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) { if ( !( p->flags & _BDF_FONT_NAME ) ) { @@ -2312,7 +2312,7 @@ } /* Check for the CHARS field -- font properties are optional */ - if ( ft_memcmp( line, "CHARS", 5 ) == 0 ) + if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) { char nbuf[128];