emacs-diffs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

emacs-28 7b6fb486 1/2: Fix potential buffer overflow (bug#50767)

From: Alan Third
Subject: emacs-28 7b6fb486 1/2: Fix potential buffer overflow (bug#50767)
Date: Sun, 17 Oct 2021 05:54:40 -0400 (EDT) 
branch: emacs-28
commit 7b6fb486c2e8555a04b20e067b723ef9fdb13396
Author: Alan Third <alan@idiocy.org>
Commit: Alan Third <alan@idiocy.org>

    Fix potential buffer overflow (bug#50767)
    
    * src/image.c (svg_load_image): Check how many bytes were actually
    written to the buffer.  Don't check xmalloc return value as xmalloc
    doesn't return if it fails.
---
 src/image.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/image.c b/src/image.c
index 206c7ba..49b2630 100644
--- a/src/image.c
+++ b/src/image.c
@@ -9996,10 +9996,16 @@ svg_load_image (struct frame *f, struct image *img, 
char *contents,
   if (!STRINGP (lcss))
     {
       /* Generate the CSS for the SVG image.  */
-      const char *css_spec = "svg{font-family:\"%s\";font-size:%4dpx}";
-      int css_len = strlen (css_spec) + strlen (img->face_font_family);
+      /* FIXME: The below calculations leave enough space for a font
+        size up to 9999, if it overflows we just throw an error but
+        should probably increase the buffer size.  */
+      const char *css_spec = "svg{font-family:\"%s\";font-size:%dpx}";
+      int css_len = strlen (css_spec) + strlen (img->face_font_family) + 1;
       css = xmalloc (css_len);
-      snprintf (css, css_len, css_spec, img->face_font_family, 
img->face_font_size);
+      if (css_len <= snprintf (css, css_len, css_spec,
+                              img->face_font_family, img->face_font_size))
+       goto rsvg_error;
+
       rsvg_handle_set_stylesheet (rsvg_handle, (guint8 *)css, strlen (css), 
NULL);
     }
   else
@@ -10157,12 +10163,11 @@ svg_load_image (struct frame *f, struct image *img, 
char *contents,
 
     wrapped_contents = xmalloc (buffer_size);
 
-    if (!wrapped_contents
-        || buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper,
-                                    foreground & 0xFFFFFF, width, height,
-                                    viewbox_width, viewbox_height,
-                                    background & 0xFFFFFF,
-                                    SSDATA (encoded_contents)))
+    if (buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper,
+                                foreground & 0xFFFFFF, width, height,
+                                viewbox_width, viewbox_height,
+                                background & 0xFFFFFF,
+                                SSDATA (encoded_contents)))
       goto rsvg_error;
 
     wrapped_size = strlen (wrapped_contents);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]