From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= Date: Tue, 30 Apr 2024 18:21:08 +0200 Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When `num_fields == 12`, if the last character of the pattern is '-', the `buf` array is overrun. This error has been found by a static analysis tool. This is the report: Error: OVERRUN (CWE-119): libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most: Checking "length > 255" implies that "length" may be up to 255 on the false branch. libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias: Assigning: "last" = "buf + length - 1". "last" may now point to as high as byte 254 of "buf" (which consists of 256 bytes). libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr: Incrementing "last". "last" may now point to as high as byte 255 of "buf" (which consists of 256 bytes). libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr: Incrementing "last". "last" may now point to as high as byte 256 of "buf" (which consists of 256 bytes). libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local: Overrunning array of 256 bytes at byte offset 256 by dereferencing pointer "++last". # 718| *++last = '*'; # 719| # 720|-> *++last = '-'; # 721| break; # 722| case 13: Signed-off-by: José Expósito Part-of: --- modules/om/generic/omGeneric.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c index 406cec93..370072f3 100644 --- a/modules/om/generic/omGeneric.c +++ b/modules/om/generic/omGeneric.c @@ -688,7 +688,7 @@ parse_omit_name( length = strlen (pattern); - if (length > XLFD_MAX_LEN) + if (length > XLFD_MAX_LEN - 1) return -1; strcpy(buf, pattern); -- 2.45.2