Re: buffer overflow in fonts.c?

[Yoshiaki Kasahara <kasahara nc kyushu-u ac jp>]

On Fri, 27 Jul 2007 14:31:25 +0200,
	Janek Kozicki <janek_listy wp pl> said:

> > The following patch is for the stock 1.3 release, but it should be
> > applied to the svn source, too.
> > 
> > --- src/fonts.c.orig    Sun Nov  3 22:00:36 2002
> > +++ src/fonts.c Wed Feb  8 04:22:13 2006
> > @@ -131,7 +131,7 @@
> >             if (end == 0)
> >                 end = p + strlen (p);
> >             len = end - (p + 1);
> > -           buf = malloc (len);
> > +           buf = malloc (len + 1);
> >             memcpy (buf, p + 1, len);
> >             buf[len] = 0;
> >             return buf;
> 
> thanks, better to use one byte more, than to have a buffer overflow.
> Applied. But before making 1.3.2 I'll check with valgrind nevertheless,
> because from reading the code in this place I'm not 100% sure that
> it's needed. If valgrind will say that it's not needed I'll revert it.

I think this code malloc 'len' bytes of memory, and assign 0 to
buf[len], which means (len+1)th bytes from index 0, doesn't it?

> honestly I can't understand this patch, so I won't apply this unless
> some other people confirm (or explain) why this is necessary. I'll
> remember about it though, and if the problem resurfaces later I hope
> to recognize it. Any comments?

When I tried to build sawfish from svn source, make-pot tried to
regenerate sawfish.pot and failed.  It seems that released tar ball
contains pre-generated sawfish.pot, so my patch is not needed, I
guess...

> I'm about to make the 1.3.1 release, finally! :-)

I'm really happy to hear that :-)

Regards,
-- 
Yoshiaki Kasahara
Research Institute for Information Technology, Kyushu University
kasahara nc kyushu-u ac jp