Skip to content

Fix out-of-bounds read in FontFileMakeDir()

Alexander Richardson requested to merge arichardson/libxfont:fix-oob-read into master

BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and this causes the dirName[dirlen - 1] access to read before the start of the string. I found this while porting Xvnc to CHERI-RISC-V (which has bounds and permissions on all pointers).

Merge request reports