[PATCH:mkfontscale 1/2] Leave room for null terminator in file & font name arrays
Julien Cristau
jcristau at debian.org
Fri Feb 25 10:24:29 PST 2011
On Thu, Feb 24, 2011 at 23:38:44 -0800, Alan Coopersmith wrote:
> fscanf %s arguments don't include the trailing \0 byte in their counts.
>
> Error: Buffer overrun
> Buffer overflow (CWE 120): Use of fscanf(%1024[), with buffer 'font'
> Array size is 1024 bytes
> at line 707 of mkfontscale.c in function 'readFontScale'.
> Buffer overflow (CWE 120): Use of fscanf(%1024s), with buffer 'file'
> Array size is 1024 bytes
> at line 707 of mkfontscale.c in function 'readFontScale'.
>
> [ This bug was found by the Parfait 0.3.6 bug checking tool.
> For more information see http://labs.oracle.com/projects/parfait/ ]
>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
> mkfontscale.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/mkfontscale.c b/mkfontscale.c
> index ef3f490..ba2f841 100644
> --- a/mkfontscale.c
> +++ b/mkfontscale.c
> @@ -679,7 +679,7 @@ readFontScale(HashTablePtr entries, char *dirname)
> char *filename;
> FILE *in;
> int rc, count, i;
> - char file[MAXFONTFILENAMELEN], font[MAXFONTNAMELEN];
> + char file[MAXFONTFILENAMELEN+1], font[MAXFONTNAMELEN+1];
>
> if(dirname[n - 1] == '/')
> filename = dsprintf("%sfonts.scale", dirname);
Reviewed-by: Julien Cristau <jcristau at debian.org>
Cheers,
Julien
More information about the xorg-devel
mailing list