From 56fa234856428ca2de92c27904edb1fe28bc4fdc Mon Sep 17 00:00:00 2001
From: Ulrich Sibiller <uli42@gmx.de>
Date: Wed, 3 Jan 2018 01:11:34 +0100
Subject: Font.c: replace memcpy by sprintf preventing possible buffer
 overflows

I am not sure about the maximum font name length in X but just in
case use snprintf instead of memcpy to be sure nothing dangerous can
happen here.
---
 nx-X11/programs/Xserver/hw/nxagent/Font.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/nx-X11/programs/Xserver/hw/nxagent/Font.c b/nx-X11/programs/Xserver/hw/nxagent/Font.c
index 5a9b729ed..540ad79e2 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/Font.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/Font.c
@@ -733,7 +733,7 @@ static XFontStruct *nxagentLoadBestQueryFont(Display* dpy, char *fontName, FontP
 {
   XFontStruct *fontStruct;
 
-  char *substFontBuf;
+  char substFontBuf[512];;
 
   /*  X Logical Font Description Conventions
    *  require 14 fields in the font names.
@@ -767,12 +767,9 @@ static XFontStruct *nxagentLoadBestQueryFont(Display* dpy, char *fontName, FontP
   fprintf(stderr, "nxagentLoadBestQueryFont: Searching font '%s' .\n", fontName);
   #endif
 
-  substFontBuf = (char *) malloc(sizeof(char) * 512);
-
-
   numFontFields = nxagentSplitString(fontName, fontNameFields, FIELDS + 1, "-");
 
-  memcpy(substFontBuf, "fixed\0", strlen("fixed") + 1);
+  snprintf(substFontBuf, sizeof(substFontBuf), "%s", "fixed");
 
   if (numFontFields <= FIELDS)
   {
@@ -831,8 +828,7 @@ static XFontStruct *nxagentLoadBestQueryFont(Display* dpy, char *fontName, FontP
         /* Found more accurate font  */
 
         weight = tempWeight;
-        memcpy(substFontBuf, nxagentRemoteFontList.list[i]->name, strlen(nxagentRemoteFontList.list[i]->name));
-        substFontBuf[strlen(nxagentRemoteFontList.list[i]->name)] = '\0';
+        snprintf(substFontBuf, sizeof(substFontBuf), "%s", nxagentRemoteFontList.list[i]->name);
 
         #ifdef NXAGENT_RECONNECT_FONT_DEBUG
         fprintf(stderr, "nxagentLoadBestQueryFont: Weight '%d' of more accurate font '%s' .\n", weight, substFontBuf);
@@ -856,8 +852,6 @@ static XFontStruct *nxagentLoadBestQueryFont(Display* dpy, char *fontName, FontP
 
   fontStruct = nxagentLoadQueryFont(dpy, substFontBuf, pFont);
 
-  free (substFontBuf);
-
   for (j = 0; j < numFontFields; j++)
   {
     free(fontNameFields[j]);
-- 
cgit v1.2.3