nx-X11/programs/Xserver/hw/nxagent · 234be0245324b01676aff764b756248f4e57b45d · dimbor / nx-libs

glyph.c: fix a read beyond end of heap buffer · 234be024

authored Jun 19, 2019

If compiled with -fsanitize=address this showed up when running startlxde:

==11551==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000018fbc at pc 0x7f270a9ed57b bp 0x7fff30ef3050 sp 0x7fff30ef2800
READ of size 204 at 0x60d000018fbc thread T0
    #0 0x7f270a9ed57a  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xb857a)
    #1 0x559dafcd5c93 in FindGlyphRef ../../render/glyph.c:179
    #2 0x559dafcd705d in AddGlyph /work/nx-libs/nx-X11/programs/Xserver/hw/nxagent/NXglyph.c:71
    #3 0x559dafccc0ff in ProcRenderAddGlyphs ../../mi/../render/render.c:1186
    #4 0x559dafcbd5a5 in ProcRenderDispatch /work/nx-libs/nx-X11/programs/Xserver/hw/nxagent/NXrender.c:1689
    #5 0x559dafcbc4ea in Dispatch /work/nx-libs/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c:476
    #6 0x559dafc4e9b0 in main /work/nx-libs/nx-X11/programs/Xserver/dix/main.c:353
    #7 0x7f2708e1d09a in __libc_start_main ../csu/libc-start.c:308
    #8 0x559dafc4f5d9 in _start (/work/nx-libs/nx-X11/programs/Xserver/nxagent+0x6e5d9)

0x60d000018fbc is located 0 bytes to the right of 140-byte region [0x60d000018f30,0x60d000018fbc)
allocated by thread T0 here:
    #0 0x7f270aa1e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x559dafcd646c in AllocateGlyph ../../render/glyph.c:348

This happens when two glyphs are compared via memcmp and the smaller
one happens to be identical to the beginning of the bigger one.

Newer render implementations use a sha1 hash instead of memcmp so this
patch will (hopefully) be obsolete once render gets updated.

234be024

Name	Last commit	Last update
..
X11/include		Loading commit data...
compext		Loading commit data...
man		Loading commit data...
.gitignore		Loading commit data...
Agent.h		Loading commit data...
Args.c		Loading commit data...
Args.h		Loading commit data...
Atoms.c		Loading commit data...
Atoms.h		Loading commit data...
Binder.c		Loading commit data...
Binder.h		Loading commit data...
BitmapUtils.c		Loading commit data...
Client.c		Loading commit data...
Client.h		Loading commit data...
Clipboard.c		Loading commit data...
Clipboard.h		Loading commit data...
Colormap.c		Loading commit data...
Colormap.h		Loading commit data...
Composite.c		Loading commit data...
Composite.h		Loading commit data...
Cursor.c		Loading commit data...
Cursor.h		Loading commit data...
Dialog.c		Loading commit data...
Dialog.h		Loading commit data...
Display.c		Loading commit data...
Display.h		Loading commit data...
Drawable.c		Loading commit data...
Drawable.h		Loading commit data...
Error.c		Loading commit data...
Error.h		Loading commit data...
Events.c		Loading commit data...
Events.h		Loading commit data...
Extensions.c		Loading commit data...
Extensions.h		Loading commit data...
Font.c		Loading commit data...
Font.h		Loading commit data...
GC.c		Loading commit data...
GCOps.c		Loading commit data...
GCOps.h		Loading commit data...
GCs.h		Loading commit data...
Handlers.c		Loading commit data...
Handlers.h		Loading commit data...
Holder.c		Loading commit data...
Holder.h		Loading commit data...
Icons.h		Loading commit data...
Image.c		Loading commit data...
Image.h		Loading commit data...
Imakefile		Loading commit data...
Init.c		Loading commit data...
Init.h		Loading commit data...
Keyboard.c		Loading commit data...
Keyboard.h		Loading commit data...
Keystroke.c		Loading commit data...
Keystroke.h		Loading commit data...
Literals.h		Loading commit data...
Millis.c		Loading commit data...
Millis.h		Loading commit data...
NXdamage.c		Loading commit data...
NXdispatch.c		Loading commit data...
NXdixfonts.c		Loading commit data...
NXevents.c		Loading commit data...
NXextension.c		Loading commit data...
NXglxext.c		Loading commit data...
NXglyph.c		Loading commit data...
NXglyphcurs.c		Loading commit data...
NXglyphstr_GlyphRef.h		Loading commit data...
NXglyphstr_GlyphSet.h		Loading commit data...
NXmitrap.c		Loading commit data...
NXpicture.c		Loading commit data...
NXpicturestr_PictSolidFill.h		Loading commit data...
NXproperty.c		Loading commit data...
NXrender.c		Loading commit data...
NXresource.c		Loading commit data...
NXshm.c		Loading commit data...
NXwindow.c		Loading commit data...
NXxvdisp.c		Loading commit data...
Options.c		Loading commit data...
Options.h		Loading commit data...
Pixels.c		Loading commit data...
Pixels.h		Loading commit data...
Pixmap.c		Loading commit data...
Pixmaps.h		Loading commit data...
Pointer.c		Loading commit data...
Pointer.h		Loading commit data...
Reconnect.c		Loading commit data...
Reconnect.h		Loading commit data...
Render.c		Loading commit data...
Render.h		Loading commit data...
Rootless.c		Loading commit data...
Rootless.h		Loading commit data...
Screen.c		Loading commit data...
Screen.h		Loading commit data...
Splash.c		Loading commit data...
Splash.h		Loading commit data...
Split.c		Loading commit data...
Split.h		Loading commit data...
Trap.c		Loading commit data...
Trap.h		Loading commit data...
Utils.h		Loading commit data...
Visual.c		Loading commit data...
Visual.h		Loading commit data...
Window.c		Loading commit data...
Windows.h		Loading commit data...
nxagent.xpm		Loading commit data...
nxmissing.xpm		Loading commit data...
screensaver		Loading commit data...
x11.svg		Loading commit data...
x2goagent.xpm		Loading commit data...