[groff] 02/03: [libgroff]: Fix Savannah #61424.

[G. Branden Robinson]

gbranden pushed a commit to branch master
in repository groff.

commit a891161bc94c7b6a6a3572cc82f31e5029078d7b
Author: G. Branden Robinson <g.branden.robin...@gmail.com>
AuthorDate: Sun Nov 7 10:31:02 2021 +1100

    [libgroff]: Fix Savannah #61424.
    
    * src/libs/libgroff/fontfile.cpp (font::open_file): Don't open
      user-specified font file names with slashes in them; i.e., don't
      traverse directories outside the configured font path.  Also refuse to
      open the file if the `sprintf()` used to construct its file name
      doesn't write the expected quantity of bytes to the destination
      buffer.
    
    Fixes <https://savannah.gnu.org/bugs/?61424>.  Thanks to Ingo Schwarze
    for feedback.
---
 ChangeLog                      | 12 ++++++++++++
 src/libs/libgroff/fontfile.cpp | 13 ++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5deca75..9758a40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 2021-11-07  G. Branden Robinson <g.branden.robin...@gmail.com>
 
+       * src/libs/libgroff/fontfile.cpp (font::open_file): Don't open
+       user-specified font file names with slashes in them; i.e., don't
+       traverse directories outside the configured font path.  Also
+       refuse to open the file if the `sprintf()` used to construct its
+       file name doesn't write the expected quantity of bytes to the
+       destination buffer.
+
+       Fixes <https://savannah.gnu.org/bugs/?61424>.  Thanks to Ingo
+       Schwarze for feedback.
+
+2021-11-07  G. Branden Robinson <g.branden.robin...@gmail.com>
+
        [libgroff]: Regression-test Savannah #61424.
 
        * src/roff/groff/tests/fp_should_not_traverse_directories.sh: Do
diff --git a/src/libs/libgroff/fontfile.cpp b/src/libs/libgroff/fontfile.cpp
index 0ebe35c..a5b03b6 100644
--- a/src/libs/libgroff/fontfile.cpp
+++ b/src/libs/libgroff/fontfile.cpp
@@ -60,9 +60,16 @@ void font::command_line_font_dir(const char *dir)
 
 FILE *font::open_file(const char *nm, char **pathp)
 {
-  char *filename = new char[strlen(nm) + strlen(device) + 5];
-  sprintf(filename, "dev%s/%s", device, nm);
-  FILE *fp = font_path.open_file(filename, pathp);
+  FILE *fp = 0;
+  int expected_size = strlen(nm) + strlen(device) + 5; // 'dev' '/' '\0'
+  char *filename = new char[expected_size];
+  // Do not traverse user-specified directories; Savannah #61424.
+  if (0 == strchr(nm, '/')) {
+    int actual_size = sprintf(filename, "dev%s/%s", device, nm);
+    expected_size--; // sprintf() doesn't count the null terminator.
+    if (actual_size == expected_size)
+      fp = font_path.open_file(filename, pathp);
+  }
   delete[] filename;
   return fp;
 }

_______________________________________________
Groff-commit mailing list
Groff-commit@gnu.org
https://lists.gnu.org/mailman/listinfo/groff-commit