diff options
| author | Alan Third <alan@idiocy.org> | 2021-10-04 22:35:41 +0100 |
|---|---|---|
| committer | Alan Third <alan@idiocy.org> | 2021-10-17 10:54:18 +0100 |
| commit | 7b6fb486c2e8555a04b20e067b723ef9fdb13396 (patch) | |
| tree | 3abb1dd5d0f049b78c5d736aecb5294e27102129 /src | |
| parent | ed9f5546aa71e0f187eaff1b2a9ccfe7772e9f5c (diff) | |
| download | emacs-7b6fb486c2e8555a04b20e067b723ef9fdb13396.tar.gz emacs-7b6fb486c2e8555a04b20e067b723ef9fdb13396.tar.bz2 emacs-7b6fb486c2e8555a04b20e067b723ef9fdb13396.zip | |
Fix potential buffer overflow (bug#50767)
* src/image.c (svg_load_image): Check how many bytes were actually
written to the buffer. Don't check xmalloc return value as xmalloc
doesn't return if it fails.
Diffstat (limited to 'src')
| -rw-r--r-- | src/image.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/image.c b/src/image.c index 206c7baa2f8..49b26301e8b 100644 --- a/src/image.c +++ b/src/image.c @@ -9996,10 +9996,16 @@ svg_load_image (struct frame *f, struct image *img, char *contents, if (!STRINGP (lcss)) { /* Generate the CSS for the SVG image. */ - const char *css_spec = "svg{font-family:\"%s\";font-size:%4dpx}"; - int css_len = strlen (css_spec) + strlen (img->face_font_family); + /* FIXME: The below calculations leave enough space for a font + size up to 9999, if it overflows we just throw an error but + should probably increase the buffer size. */ + const char *css_spec = "svg{font-family:\"%s\";font-size:%dpx}"; + int css_len = strlen (css_spec) + strlen (img->face_font_family) + 1; css = xmalloc (css_len); - snprintf (css, css_len, css_spec, img->face_font_family, img->face_font_size); + if (css_len <= snprintf (css, css_len, css_spec, + img->face_font_family, img->face_font_size)) + goto rsvg_error; + rsvg_handle_set_stylesheet (rsvg_handle, (guint8 *)css, strlen (css), NULL); } else @@ -10157,12 +10163,11 @@ svg_load_image (struct frame *f, struct image *img, char *contents, wrapped_contents = xmalloc (buffer_size); - if (!wrapped_contents - || buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper, - foreground & 0xFFFFFF, width, height, - viewbox_width, viewbox_height, - background & 0xFFFFFF, - SSDATA (encoded_contents))) + if (buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper, + foreground & 0xFFFFFF, width, height, + viewbox_width, viewbox_height, + background & 0xFFFFFF, + SSDATA (encoded_contents))) goto rsvg_error; wrapped_size = strlen (wrapped_contents); |