Cuneiform for Linux

coredump in Kern/fon/src/p2_thick.c

Bug #834229 reported by Jonathan Kamens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cuneiform for Linux
New
Undecided
Unassigned

Bug Description

Coredump due to buffer overflow at Kern/fon/src/p2_thick.c:201

 memcpy(bSource, bDest + xbyte, xbyte * yrow);

xbyte=22, yrow=58
Going up one frame to p2_thick.c:309

  MoveUpDownBitmap2(xbyte2, yrow, bDest);

xbyte2 here is calculated from xbit, which is 170
But WR_MAX_WIDTH in Kern/fon/src/sfont.h is 128, which is less than
170.
Fix is either to increase WR_MAX_WIDTH or to get rid of >> 3 at
p2_thick.c:193:

static uchar tmpbuf[(WR_MAX_WIDTH >> 3) * WR_MAX_HEIGHT];

I'm not sure which of these is the correct fix.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.