The xserver has length checks for all commandline arguments including the argument to -fp. The fontpath can be quite long and the limit of 256 characters is reached quite fast.
Created attachment 1365 [details] [review] proposed patch The patch check for "-fp" as argument and skips the length check for "-fp" and the next argument and continues with the check of the argument for unprintable characters
Nice catch (I remember that Sun staff hit the same problem a while ago but I don't know whether they made a patch to cure the problem) :)
/cvs/xorg/xc/ChangeLog,v <-- ChangeLog new revision: 1.544; previous revision: 1.543 /cvs/xorg/xc/programs/Xserver/os/utils.c,v <-- utils.c new revision: 1.10; previous revision: 1.11 fixed in HEAD
/cvs/xorg/xc/ChangeLog,v <-- ChangeLog new revision: 1.369.2.4; previous revision: 1.369.2.3 /cvs/xorg/xc/programs/Xserver/os/utils.c,v <-- utils.c new revision: 1.1.4.3.2.5; previous revision: 1.1.4.3.2.4 fixed in CYGWIN
Yes, we hit this when setting up our VSW5 scripts to run with Xorg, but we didn't patch it, just changed the scripts to put the font path settings in xorg.conf instead of passing them on the command line.
I wonder if this may create a security problem. Doing away with the test means that one can pass an arbitrarily long argument to -fp. There must have been a reason that we were so restrictive on the argument length.
the pointer to the -fp argument is directly assigned to defaultFontPath which is handled in dix/dixfonts.c(SetDefaultFontPath). the code there can handle strings of arbitrary length. The result is the fontpath string splitted on "," which passed on to SetFontPathElements. If there are size restrictions later on then it could be exploited with xset -fp too.
Comment on attachment 1365 [details] [review] proposed patch Approval for X11R6.8.x stable branch DENIED in the 2004-12-13 release-wranglers phone call as the possible security side-effects need to be figured-out first (e.g. all consumers of this code need to be audited for security issues).
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.