On Thu, Feb 24, 2011 at 23:38:44 -0800, Alan Coopersmith wrote: > fscanf %s arguments don't include the trailing \0 byte in their counts. > > Error: Buffer overrun > Buffer overflow (CWE 120): Use of fscanf(%1024[), with buffer 'font' > Array size is 1024 bytes > at line 707 of mkfontscale.c in function 'readFontScale'. > Buffer overflow (CWE 120): Use of fscanf(%1024s), with buffer 'file' > Array size is 1024 bytes > at line 707 of mkfontscale.c in function 'readFontScale'. > > [ This bug was found by the Parfait 0.3.6 bug checking tool. > For more information see http://labs.oracle.com/projects/parfait/ ] > > Signed-off-by: Alan Coopersmith <[email protected]> > --- > mkfontscale.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/mkfontscale.c b/mkfontscale.c > index ef3f490..ba2f841 100644 > --- a/mkfontscale.c > +++ b/mkfontscale.c > @@ -679,7 +679,7 @@ readFontScale(HashTablePtr entries, char *dirname) > char *filename; > FILE *in; > int rc, count, i; > - char file[MAXFONTFILENAMELEN], font[MAXFONTNAMELEN]; > + char file[MAXFONTFILENAMELEN+1], font[MAXFONTNAMELEN+1]; > > if(dirname[n - 1] == '/') > filename = dsprintf("%sfonts.scale", dirname);
Reviewed-by: Julien Cristau <[email protected]> Cheers, Julien _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
