Stack gets smashed in fonts with colors when calling XftGlyphRender

I encountered this issue in rxvt-unicode by setting the font to xft:Source Code Pro:pixelsize=20:antialias=false,xft:IPA Gothic, making the terminal fullscreen on a 1440p monitor (resulting in 196 columns, lower values seem not to trigger the bug), viewing the iptables-extensions man page and scrolling to the bottom. At some point, the terminal crashes and the traceback is a little unclear, but I found in GDB that by the time _XftCompositeText is called, elts == elts_local and yet nelt is 130 (indicating that 130 elements were written to an array of size 128).

It seems the cause was introduced in commit 6a08279e:

@@ -335,7 +362,7 @@ XftGlyphSpecRender (Display             *dpy,
     }
 
     elts = elts_local;
-    if (nelt > NUM_ELT_LOCAL)
+    if (!font->info.color && nelt > NUM_ELT_LOCAL)
     {
        elts = AllocGlyphElt8Array (nelt);
        if (!elts)

This looks to my eye like it might be a typo of font->info.color || nelt > NUM_ELT_LOCAL (as nelt exceeding NUM_ELT_LOCAL indicates that we expect to exceed the bounds of the array, and that should always be grounds for allocating a larger one), but I don't know nearly enough about the code to understand why the condition includes color, so it might even have been included in error.

The problem was encountered in version 2.3.6 and reproduced in the git version at de4592a1

Edited Nov 14, 2022 by score

Admin message

Stack gets smashed in fonts with colors when calling XftGlyphRender