Bug Summary

File:src/FSWrap.c
Location:line 155, column 2
Description:String copy function overflows destination buffer

Annotated Source Code

1
2/*
3 * Copyright 1991 by the Open Software Foundation
4 * Copyright 1993 by the TOSHIBA Corp.
5 *
6 * Permission to use, copy, modify, distribute, and sell this software and its
7 * documentation for any purpose is hereby granted without fee, provided that
8 * the above copyright notice appear in all copies and that both that
9 * copyright notice and this permission notice appear in supporting
10 * documentation, and that the name Open Software Foundation
11 * not be used in advertising or publicity pertaining to distribution of the
12 * software without specific, written prior permission. Open Software
13 * Foundation makes no representations about the suitability of this
14 * software for any purpose. It is provided "as is" without express or
15 * implied warranty.
16 *
17 * OPEN SOFTWARE FOUNDATION DISCLAIMS ALL WARRANTIES WITH REGARD TO
18 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
19 * FITNESS, IN NO EVENT SHALL OPEN SOFTWARE FOUNDATIONN BE
20 * LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
21 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
22 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
23 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 *
25 * M. Collins OSF
26 *
27 * Katsuhisa Yano TOSHIBA Corp.
28 */
29
30/*
31
32Copyright 1991, 1998 The Open Group
33
34Permission to use, copy, modify, distribute, and sell this software and its
35documentation for any purpose is hereby granted without fee, provided that
36the above copyright notice appear in all copies and that both that
37copyright notice and this permission notice appear in supporting
38documentation.
39
40The above copyright notice and this permission notice shall be included
41in all copies or substantial portions of the Software.
42
43THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
44OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
45MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
46IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
47OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
48ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
49OTHER DEALINGS IN THE SOFTWARE.
50
51Except as contained in this notice, the name of The Open Group shall
52not be used in advertising or otherwise to promote the sale, use or
53other dealings in this Software without prior written authorization
54from The Open Group.
55
56*/
57
58
59#ifdef HAVE_CONFIG_H1
60#include <config.h>
61#endif
62#include "Xlibint.h"
63#include "Xlcint.h"
64#include <ctype.h>
65#include <X11/Xos.h>
66
67
68#define XMAXLIST256 256
69
70char **
71_XParseBaseFontNameList(
72 char *str,
73 int *num)
74{
75 char *plist[XMAXLIST256];
76 char **list;
77 char *ptr, *psave;
78
79 *num = 0;
80 if (!str || !*str) {
81 return (char **)NULL((void*)0);
82 }
83 while (*str && isspace(*str))
84 str++;
85 if (!*str)
86 return (char **)NULL((void*)0);
87
88 if (!(ptr = strdup(str))) {
89 return (char **)NULL((void*)0);
90 }
91
92 psave = ptr;
93 /* somebody who specifies more than XMAXLIST basefontnames will lose */
94 while (*num < (sizeof plist / sizeof plist[0])) {
95 char *back;
96
97 plist[*num] = ptr;
98 if ((ptr = strchr(ptr, ','))) {
99 back = ptr;
100 } else {
101 back = plist[*num] + strlen(plist[*num]);
102 }
103 while (isspace(*(back - 1)))
104 back--;
105 *back = '\0';
106 (*num)++;
107 if (!ptr)
108 break;
109 ptr++;
110 while (*ptr && isspace(*ptr))
111 ptr++;
112 if (!*ptr)
113 break;
114 }
115 if (!(list = Xmalloc(sizeof(char *) * (*num + 1))malloc(((sizeof(char *) * (*num + 1)) == 0 ? 1 : (sizeof(char
*) * (*num + 1))))
)) {
116 Xfree(psave)free((psave));
117 return (char **)NULL((void*)0);
118 }
119 memcpy((char *)list, (char *)plist, sizeof(char *) * (*num))__builtin___memcpy_chk ((char *)list, (char *)plist, sizeof(char
*) * (*num), __builtin_object_size ((char *)list, 0))
;
120 *(list + *num) = NULL((void*)0);
121
122 return list;
123}
124
125static char **
126copy_string_list(
127 char **string_list,
128 int list_count)
129{
130 char **string_list_ret, **list_src, **list_dst, *dst;
131 int length, count;
132
133 if (string_list == NULL((void*)0) || list_count <= 0)
6
Assuming 'string_list' is not equal to null
7
Assuming 'list_count' is > 0
8
Taking false branch
134 return (char **) NULL((void*)0);
135
136 string_list_ret = Xmalloc(sizeof(char *) * list_count)malloc(((sizeof(char *) * list_count) == 0 ? 1 : (sizeof(char
*) * list_count)))
;
137 if (string_list_ret == NULL((void*)0))
9
Assuming 'string_list_ret' is not equal to null
10
Taking false branch
138 return (char **) NULL((void*)0);
139
140 list_src = string_list;
141 count = list_count;
142 for (length = 0; count-- > 0; list_src++)
11
Loop condition is true. Entering loop body
12
Loop condition is true. Entering loop body
13
Loop condition is false. Execution continues on line 145
143 length += strlen(*list_src) + 1;
144
145 dst = Xmalloc(length)malloc(((length) == 0 ? 1 : (length)));
146 if (dst == NULL((void*)0)) {
14
Assuming 'dst' is not equal to null
15
Taking false branch
147 Xfree(string_list_ret)free((string_list_ret));
148 return (char **) NULL((void*)0);
149 }
150
151 list_src = string_list;
152 count = list_count;
153 list_dst = string_list_ret;
154 for ( ; count-- > 0; list_src++) {
16
Loop condition is true. Entering loop body
17
Loop condition is true. Entering loop body
155 strcpy(dst, *list_src)__builtin___strcpy_chk (dst, *list_src, __builtin_object_size
(dst, 2 > 1 ? 1 : 0))
;
18
Within the expansion of the macro 'strcpy':
a
String copy function overflows destination buffer
156 *list_dst++ = dst;
157 dst += strlen(dst) + 1;
158 }
159
160 return string_list_ret;
161}
162
163XFontSet
164XCreateFontSet (
165 Display *dpy,
166 _Xconstconst char *base_font_name_list,
167 char ***missing_charset_list,
168 int *missing_charset_count,
169 char **def_string)
170{
171 XOM om;
172 XOC oc;
173 XOMCharSetList *list;
174
175 *missing_charset_list = NULL((void*)0);
176 *missing_charset_count = 0;
177
178 om = XOpenOM(dpy, NULL((void*)0), NULL((void*)0), NULL((void*)0));
179 if (om == NULL((void*)0))
1
Assuming 'om' is not equal to null
2
Taking false branch
180 return (XFontSet) NULL((void*)0);
181
182 if ((oc = XCreateOC(om, XNBaseFontName"baseFontName", base_font_name_list, NULL((void*)0)))) {
3
Assuming 'oc' is null
4
Taking false branch
183 list = &oc->core.missing_list;
184 oc->core.om_automatic = True1;
185 } else
186 list = &om->core.required_charset;
187
188 *missing_charset_list = copy_string_list(list->charset_list,
5
Calling 'copy_string_list'
189 list->charset_count);
190 *missing_charset_count = list->charset_count;
191
192 if (list->charset_list && *missing_charset_list == NULL((void*)0))
193 oc = NULL((void*)0);
194
195 if (oc && def_string) {
196 *def_string = oc->core.default_string;
197 if (!*def_string)
198 *def_string = "";
199 }
200
201 if (oc == NULL((void*)0))
202 XCloseOM(om);
203
204 return (XFontSet) oc;
205}
206
207int
208XFontsOfFontSet(
209 XFontSet font_set,
210 XFontStruct ***font_struct_list,
211 char ***font_name_list)
212{
213 *font_name_list = font_set->core.font_info.font_name_list;
214 *font_struct_list = font_set->core.font_info.font_struct_list;
215 return font_set->core.font_info.num_font;
216}
217
218char *
219XBaseFontNameListOfFontSet(XFontSet font_set)
220{
221 return font_set->core.base_name_list;
222}
223
224char *
225XLocaleOfFontSet(XFontSet font_set)
226{
227 return font_set->core.om->core.lcd->core->name;
228}
229
230Boolint
231XContextDependentDrawing(XFontSet font_set)
232{
233 return font_set->core.om->core.context_dependent;
234}
235
236Boolint
237XDirectionalDependentDrawing(XFontSet font_set)
238{
239 return font_set->core.om->core.directional_dependent;
240}
241
242Boolint
243XContextualDrawing(XFontSet font_set)
244{
245 return font_set->core.om->core.contextual_drawing;
246}
247
248XFontSetExtents *
249XExtentsOfFontSet(XFontSet font_set)
250{
251 if (!font_set)
252 return NULL((void*)0);
253 return &font_set->core.font_set_extents;
254}
255
256void
257XFreeFontSet(
258 Display *dpy,
259 XFontSet font_set)
260{
261 XCloseOM(font_set->core.om);
262}