[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
emacs-28 7b6fb486 1/2: Fix potential buffer overflow (bug#50767)
From: |
Alan Third |
Subject: |
emacs-28 7b6fb486 1/2: Fix potential buffer overflow (bug#50767) |
Date: |
Sun, 17 Oct 2021 05:54:40 -0400 (EDT) |
branch: emacs-28
commit 7b6fb486c2e8555a04b20e067b723ef9fdb13396
Author: Alan Third <alan@idiocy.org>
Commit: Alan Third <alan@idiocy.org>
Fix potential buffer overflow (bug#50767)
* src/image.c (svg_load_image): Check how many bytes were actually
written to the buffer. Don't check xmalloc return value as xmalloc
doesn't return if it fails.
---
src/image.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/image.c b/src/image.c
index 206c7ba..49b2630 100644
--- a/src/image.c
+++ b/src/image.c
@@ -9996,10 +9996,16 @@ svg_load_image (struct frame *f, struct image *img,
char *contents,
if (!STRINGP (lcss))
{
/* Generate the CSS for the SVG image. */
- const char *css_spec = "svg{font-family:\"%s\";font-size:%4dpx}";
- int css_len = strlen (css_spec) + strlen (img->face_font_family);
+ /* FIXME: The below calculations leave enough space for a font
+ size up to 9999, if it overflows we just throw an error but
+ should probably increase the buffer size. */
+ const char *css_spec = "svg{font-family:\"%s\";font-size:%dpx}";
+ int css_len = strlen (css_spec) + strlen (img->face_font_family) + 1;
css = xmalloc (css_len);
- snprintf (css, css_len, css_spec, img->face_font_family,
img->face_font_size);
+ if (css_len <= snprintf (css, css_len, css_spec,
+ img->face_font_family, img->face_font_size))
+ goto rsvg_error;
+
rsvg_handle_set_stylesheet (rsvg_handle, (guint8 *)css, strlen (css),
NULL);
}
else
@@ -10157,12 +10163,11 @@ svg_load_image (struct frame *f, struct image *img,
char *contents,
wrapped_contents = xmalloc (buffer_size);
- if (!wrapped_contents
- || buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper,
- foreground & 0xFFFFFF, width, height,
- viewbox_width, viewbox_height,
- background & 0xFFFFFF,
- SSDATA (encoded_contents)))
+ if (buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper,
+ foreground & 0xFFFFFF, width, height,
+ viewbox_width, viewbox_height,
+ background & 0xFFFFFF,
+ SSDATA (encoded_contents)))
goto rsvg_error;
wrapped_size = strlen (wrapped_contents);