[PATCH:mkfontscale 1/2] Leave room for null terminator in file & font name arrays

Alan Coopersmith alan.coopersmith at oracle.com
Thu Feb 24 23:38:44 PST 2011


fscanf %s arguments don't include the trailing \0 byte in their counts.

Error: Buffer overrun
   Buffer overflow (CWE 120): Use of fscanf(%1024[), with buffer 'font'
      Array size is 1024 bytes
        at line 707 of mkfontscale.c in function 'readFontScale'.
   Buffer overflow (CWE 120): Use of fscanf(%1024s), with buffer 'file'
      Array size is 1024 bytes
        at line 707 of mkfontscale.c in function 'readFontScale'.

[ This bug was found by the Parfait 0.3.6 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 mkfontscale.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/mkfontscale.c b/mkfontscale.c
index ef3f490..ba2f841 100644
--- a/mkfontscale.c
+++ b/mkfontscale.c
@@ -679,7 +679,7 @@ readFontScale(HashTablePtr entries, char *dirname)
     char *filename;
     FILE *in;
     int rc, count, i;
-    char file[MAXFONTFILENAMELEN], font[MAXFONTNAMELEN];
+    char file[MAXFONTFILENAMELEN+1], font[MAXFONTNAMELEN+1];
 
     if(dirname[n - 1] == '/')
         filename = dsprintf("%sfonts.scale", dirname);
-- 
1.7.3.2



More information about the xorg-devel mailing list