Bug 46169 - Pointer error in FcConfigGlobMatch
Summary: Pointer error in FcConfigGlobMatch
Alias: None
Product: fontconfig
Classification: Unclassified
Component: library (show other bugs)
Version: 2.8
Hardware: Other All
: medium normal
Assignee: Akira TAGOH
QA Contact: Behdad Esfahbod
Depends on:
Reported: 2012-02-16 06:24 UTC by Sami Rosendahl
Modified: 2012-02-21 23:32 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Description Sami Rosendahl 2012-02-16 06:24:29 UTC
The statement

    string += strlen ((char *) string) - strlen ((char *) glob);

in function FcConfigGlobMatch, line 1974 of fccfg.c 
http://cgit.freedesktop.org/fontconfig/tree/src/fccfg.c?id=2.8.0#n1974 updates pointer  'string' to point in memory to a lower address than start of the buffer if strlen(glob) > strlen(string). This causes the following line

    while (*string)

to read and act on random data located in memory before the buffer pointer string originally pointed to.
Comment 1 Akira TAGOH 2012-02-21 23:15:22 UTC
Thanks for catching this up. this may causes a segfault in the worst case, in strlen() when string points to the invalid address and contain '*'.

That may be hard to reproduce a crash though, it could be done by adjusting the length of the string in glob element.
Comment 2 Akira TAGOH 2012-02-21 23:32:02 UTC
Fixed in 71b14d64.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.