diff options
| author | Alan Third | 2021-10-04 22:35:41 +0100 |
|---|---|---|
| committer | Alan Third | 2021-10-17 10:54:18 +0100 |
| commit | 7b6fb486c2e8555a04b20e067b723ef9fdb13396 (patch) | |
| tree | 3abb1dd5d0f049b78c5d736aecb5294e27102129 /src/image.c | |
| parent | ed9f5546aa71e0f187eaff1b2a9ccfe7772e9f5c (diff) | |
| download | emacs-7b6fb486c2e8555a04b20e067b723ef9fdb13396.tar.gz emacs-7b6fb486c2e8555a04b20e067b723ef9fdb13396.zip | |
Fix potential buffer overflow (bug#50767)
* src/image.c (svg_load_image): Check how many bytes were actually
written to the buffer. Don't check xmalloc return value as xmalloc
doesn't return if it fails.
Diffstat (limited to 'src/image.c')
| -rw-r--r-- | src/image.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/image.c b/src/image.c index 206c7baa2f8..49b26301e8b 100644 --- a/src/image.c +++ b/src/image.c | |||
| @@ -9996,10 +9996,16 @@ svg_load_image (struct frame *f, struct image *img, char *contents, | |||
| 9996 | if (!STRINGP (lcss)) | 9996 | if (!STRINGP (lcss)) |
| 9997 | { | 9997 | { |
| 9998 | /* Generate the CSS for the SVG image. */ | 9998 | /* Generate the CSS for the SVG image. */ |
| 9999 | const char *css_spec = "svg{font-family:\"%s\";font-size:%4dpx}"; | 9999 | /* FIXME: The below calculations leave enough space for a font |
| 10000 | int css_len = strlen (css_spec) + strlen (img->face_font_family); | 10000 | size up to 9999, if it overflows we just throw an error but |
| 10001 | should probably increase the buffer size. */ | ||
| 10002 | const char *css_spec = "svg{font-family:\"%s\";font-size:%dpx}"; | ||
| 10003 | int css_len = strlen (css_spec) + strlen (img->face_font_family) + 1; | ||
| 10001 | css = xmalloc (css_len); | 10004 | css = xmalloc (css_len); |
| 10002 | snprintf (css, css_len, css_spec, img->face_font_family, img->face_font_size); | 10005 | if (css_len <= snprintf (css, css_len, css_spec, |
| 10006 | img->face_font_family, img->face_font_size)) | ||
| 10007 | goto rsvg_error; | ||
| 10008 | |||
| 10003 | rsvg_handle_set_stylesheet (rsvg_handle, (guint8 *)css, strlen (css), NULL); | 10009 | rsvg_handle_set_stylesheet (rsvg_handle, (guint8 *)css, strlen (css), NULL); |
| 10004 | } | 10010 | } |
| 10005 | else | 10011 | else |
| @@ -10157,12 +10163,11 @@ svg_load_image (struct frame *f, struct image *img, char *contents, | |||
| 10157 | 10163 | ||
| 10158 | wrapped_contents = xmalloc (buffer_size); | 10164 | wrapped_contents = xmalloc (buffer_size); |
| 10159 | 10165 | ||
| 10160 | if (!wrapped_contents | 10166 | if (buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper, |
| 10161 | || buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper, | 10167 | foreground & 0xFFFFFF, width, height, |
| 10162 | foreground & 0xFFFFFF, width, height, | 10168 | viewbox_width, viewbox_height, |
| 10163 | viewbox_width, viewbox_height, | 10169 | background & 0xFFFFFF, |
| 10164 | background & 0xFFFFFF, | 10170 | SSDATA (encoded_contents))) |
| 10165 | SSDATA (encoded_contents))) | ||
| 10166 | goto rsvg_error; | 10171 | goto rsvg_error; |
| 10167 | 10172 | ||
| 10168 | wrapped_size = strlen (wrapped_contents); | 10173 | wrapped_size = strlen (wrapped_contents); |