[dev] [st] Use after free in font cache

From: dequis <dx_AT_dxzone.com.ar>
Date: Sun, 27 Aug 2017 21:58:39 -0300

Hi, got some crashes. Looks like st is calling XftFontClose in the
last member of the font cache array when it runs out of space in it,
but that xft font is still used somewhere else.

To reproduce:

1. Make the font cache array smaller, in x.c "static Fontcache frc[1];"
2. wget https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-demo.txt
3. Start st in valgrind or similar
4. less UTF-8-demo.txt
5. Scroll down a few pages

Valgrind:

Invalid read of size 8
   at 0x589E028: XftDrawGlyphFontSpec (xftdraw.c:728)
   by 0x116C7D: xdrawglyphfontspecs (x.c:1234)
   by 0x1178C9: drawregion (x.c:1437)
   by 0x1175E2: draw (x.c:1389)
   by 0x11842C: run (x.c:1674)
   by 0x118CC2: main (x.c:1764)
 Address 0xa9a75c0 is 208 bytes inside a block of size 18,376 free'd
   at 0x4C2D16B: free (in ...)
   by 0x58A09DB: XftFontManageMemory (xftfreetype.c:1142)
   by 0x116401: xmakeglyphfontspecs (x.c:1089)
   by 0x11777F: drawregion (x.c:1415)
   by 0x1175E2: draw (x.c:1389)
   by 0x11842C: run (x.c:1674)
   by 0x118CC2: main (x.c:1764)
 Block was alloc'd at
   at 0x4C2BE7F: malloc (in ...)
   by 0x58A047B: XftFontOpenInfo (xftfreetype.c:892)
   by 0x58A14BA: XftFontOpenPattern (xftfreetype.c:1034)
   by 0x11643A: xmakeglyphfontspecs (x.c:1093)
   by 0x11777F: drawregion (x.c:1415)
   by 0x1175E2: draw (x.c:1389)
   by 0x11842C: run (x.c:1674)
   by 0x118CC2: main (x.c:1764)


Line numbers for st git master, 7f990328

I've run into this in a real world situation (some chinese characters
on irc) and as a workaround I've increased the font cache array size
from 16 to 32.
Received on Mon Aug 28 2017 - 02:58:39 CEST

This archive was generated by hypermail 2.3.0 : Mon Aug 28 2017 - 03:00:15 CEST