Fix out-of-bounds read in FontFileMakeDir() (!10) · Merge requests · xorg / lib / libXfont

Alexander Richardson requested to merge arichardson/libxfont:fix-oob-read into master Jul 14, 2021

BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and this causes the dirName[dirlen - 1] access to read before the start of the string. I found this while porting Xvnc to CHERI-RISC-V (which has bounds and permissions on all pointers).

Admin message

Fix out-of-bounds read in FontFileMakeDir()

Merge request reports