omGeneric.c contains the following code [1]: 568: for(field_num = 0 ; field_num < CHARSET_ENCODING_FIELD && ptr && *ptr ; 569: ptr++, field_num++) { 570: fields[field_num] = ptr; 571: 572: if((ptr = strchr(ptr, '-'))) { 573: *ptr = '\0'; 574: } 575: } this code snippet may crash under certain circumstances (if the string doesn't meet the expectancies): - [ strchr ] returns NULL because '-' doesn't appear anymore --> ptr becomes NULL - [ ptr++, field_num++ ] --> ptr becomes 1 - [ && ptr ] --> true because ptr is 1 - [ && *ptr ] --> *boom* suggested fix (sorry, I'm too lazy to download the file): 572: if((ptr = strchr(ptr, '-'))) { 573: *ptr = '\0'; 574: } else { 575: break; 576: } 577: } (optionally remove the [ && ptr ] because it only gives a wrong feeling of safety) [1] http://cgit.freedesktop.org/xorg/lib/libX11/tree/modules/om/generic/omGeneric.c
Alan committed a patch that links here. Shouldn't this be closed? Cheers
Whoops, forgot to update bugzilla. Fix committed to git master a couple weeks ago: commit 2bef065b70f70af520b5de8fb23529254d15f003 Author: Christoph Pfister <christophpfister@gmail.com> Date: Mon Apr 27 22:32:57 2009 -0700 X.Org Bug #21117: crash in get_rotate_fontname (omGeneric.c) http://bugs.freedesktop.org/show_bug.cgi?id=21117 Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.