gbranden pushed a commit to branch master in repository groff. commit a891161bc94c7b6a6a3572cc82f31e5029078d7b Author: G. Branden Robinson <g.branden.robin...@gmail.com> AuthorDate: Sun Nov 7 10:31:02 2021 +1100
[libgroff]: Fix Savannah #61424. * src/libs/libgroff/fontfile.cpp (font::open_file): Don't open user-specified font file names with slashes in them; i.e., don't traverse directories outside the configured font path. Also refuse to open the file if the `sprintf()` used to construct its file name doesn't write the expected quantity of bytes to the destination buffer. Fixes <https://savannah.gnu.org/bugs/?61424>. Thanks to Ingo Schwarze for feedback. --- ChangeLog | 12 ++++++++++++ src/libs/libgroff/fontfile.cpp | 13 ++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5deca75..9758a40 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,17 @@ 2021-11-07 G. Branden Robinson <g.branden.robin...@gmail.com> + * src/libs/libgroff/fontfile.cpp (font::open_file): Don't open + user-specified font file names with slashes in them; i.e., don't + traverse directories outside the configured font path. Also + refuse to open the file if the `sprintf()` used to construct its + file name doesn't write the expected quantity of bytes to the + destination buffer. + + Fixes <https://savannah.gnu.org/bugs/?61424>. Thanks to Ingo + Schwarze for feedback. + +2021-11-07 G. Branden Robinson <g.branden.robin...@gmail.com> + [libgroff]: Regression-test Savannah #61424. * src/roff/groff/tests/fp_should_not_traverse_directories.sh: Do diff --git a/src/libs/libgroff/fontfile.cpp b/src/libs/libgroff/fontfile.cpp index 0ebe35c..a5b03b6 100644 --- a/src/libs/libgroff/fontfile.cpp +++ b/src/libs/libgroff/fontfile.cpp @@ -60,9 +60,16 @@ void font::command_line_font_dir(const char *dir) FILE *font::open_file(const char *nm, char **pathp) { - char *filename = new char[strlen(nm) + strlen(device) + 5]; - sprintf(filename, "dev%s/%s", device, nm); - FILE *fp = font_path.open_file(filename, pathp); + FILE *fp = 0; + int expected_size = strlen(nm) + strlen(device) + 5; // 'dev' '/' '\0' + char *filename = new char[expected_size]; + // Do not traverse user-specified directories; Savannah #61424. + if (0 == strchr(nm, '/')) { + int actual_size = sprintf(filename, "dev%s/%s", device, nm); + expected_size--; // sprintf() doesn't count the null terminator. + if (actual_size == expected_size) + fp = font_path.open_file(filename, pathp); + } delete[] filename; return fp; } _______________________________________________ Groff-commit mailing list Groff-commit@gnu.org https://lists.gnu.org/mailman/listinfo/groff-commit