Bug 643882 – evince: off-by-one in recent afmparse.c fixes

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 643882 - evince: off-by-one in recent afmparse.c fixes


Summary:	evince: off-by-one in recent afmparse.c fixes


Status:	RESOLVED FIXED

Product:	evince
Classification:	Core
Component:	backends
Version:	git master
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	Evince Maintainers
QA Contact:	Evince Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-03-04 16:01 UTC by Tomas Hoger
Modified:	2011-03-20 10:02 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
patch to fix the buffer overwrite (1.07 KB, patch) 2011-03-16 00:31 UTC, Scott Reeves	none	Details \| Review

Description Tomas Hoger 2011-03-04 16:01:51 UTC

Recent afmparse.c commits to address ident buffer overflow in token() and linetoken():

http://git.gnome.org/browse/evince/commit/?id=d4139205b010
http://git.gnome.org/browse/evince/commit/?id=439c5070022e

contain an off-by-one error.  ident is calloc-ed to MAX_NAME size in afm_parse_file().  New condition added in the above commits restrict idx to be less than MAX_NAME before executing while loop body.  idx is incremented in the body, so for oversized input, idx is MAX_NAME after the loop and the terminating 0 is written one off in ident[idx] = 0;.

Comment 1 Scott Reeves 2011-03-16 00:31:31 UTC

Created attachment 183479 [details] [review]
patch to fix the buffer overwrite

Comment 2 Carlos Garcia Campos 2011-03-20 10:02:26 UTC

Pushed to git master, thanks!