wxPostScriptDCImpl::DoGetTextExtent reads an AFM font metric file into several small fixed stack buffers (cString[10], descString[20], encString[50] and so on) using sscanf with bare %s conversions. The leading strncmp checks only look at each line's prefix, so a malformed AFM line whose first token runs on past the keyword, or whose later fields are over-long, writes past the end of these buffers; this is a stack buffer overflow and ASan flags it on a crafted file. The fix caps each %s with a field width matching its buffer so over-long tokens are truncated rather than overflowing, and since the tokens in valid AFM files are all short the parsed metrics are unchanged.
https://github.com/wxWidgets/wxWidgets/pull/26645
(1 file)
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.![]()
Using %s without width limit is definitely wrong, thanks for fixing this.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.![]()
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.![]()