logo

etc_portage

Unnamed repository; edit this file 'description' to name the repository. git clone https://hacktivis.me/git/etc_portage.git

0002-fix-use-after-free-in-font-caching-algorithm.patch (2052B)

    

  1. From a8cb8e94547d7e31441d2444e8a196415e3e4c1f Mon Sep 17 00:00:00 2001
  2. From: magras <dr.magras@gmail.com>
  3. Date: Thu, 28 Feb 2019 04:56:01 +0300
  4. Subject: [PATCH 2/5] fix use after free in font caching algorithm
  6. Current font caching algorithm contains a use after free error. A font
  7. removed from `frc` might be still listed in `wx.specbuf`. It will lead
  8. to a crash inside `XftDrawGlyphFontSpec()`.
  10. Steps to reproduce:
  11. $ st -f 'Misc Tamsyn:scalable=false'
  12. $ curl https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-demo.txt
  14. Of course, result depends on fonts installed on a system and fontconfig.
  15. In my case, I'm getting consistent segfaults with different fonts.
  17. I replaced a fixed array with a simple unbounded buffer with a constant
  18. growth rate. Cache starts with a capacity of 0, gets increments by 16,
  19. and never shrinks. On my machine after `cat UTF-8-demo.txt` buffer
  20. reaches a capacity of 192. During casual use capacity stays at 0.
  21. ---
  22.  x.c | 15 +++++++++------
  23.  1 file changed, 9 insertions(+), 6 deletions(-)
  25. diff --git a/x.c b/x.c
  26. index 865dacc..2cd76d0 100644
  27. --- a/x.c
  28. +++ b/x.c
  29. @@ -226,8 +226,9 @@ typedef struct {
  30.  } Fontcache;
  31.  
  32.  /* Fontcache is an array now. A new font will be appended to the array. */
  33. -static Fontcache frc[16];
  34. +static Fontcache *frc = NULL;
  35.  static int frclen = 0;
  36. +static int frccap = 0;
  37.  static char *usedfont = NULL;
  38.  static double usedfontsize = 0;
  39.  static double defaultfontsize = 0;
  40. @@ -1244,12 +1245,14 @@ xmakeglyphfontspecs(XftGlyphFontSpec *specs, const Glyph *glyphs, int len, int x
  41.  					fcpattern, &fcres);
  42.  
  43.  			/*
  44. -			 * Overwrite or create the new cache entry.
  45. +			 * Allocate memory for the new cache entry.
  46.  			 */
  47. -			if (frclen >= LEN(frc)) {
  48. -				frclen = LEN(frc) - 1;
  49. -				XftFontClose(xw.dpy, frc[frclen].font);
  50. -				frc[frclen].unicodep = 0;
  51. +			if (frclen >= frccap) {
  52. +				frccap += 16;
  53. +				if (!frc)
  54. +					frc = xmalloc(frccap * sizeof(Fontcache));
  55. +				else
  56. +					frc = xrealloc(frc, frccap * sizeof(Fontcache));
  57.  			}
  58.  
  59.  			frc[frclen].font = XftFontOpenPattern(xw.dpy,
  60. -- 
  61. 2.21.0