label-freetype: fix UAF in set_font_for_control() with hidpi (scale_factor 2)

On hidpi screens, label-freetype will trigger a use-after-free in
set_font_for_control() via the call in update_scale_factor_from_pixel_buffer().

That call passes label->font as the font parameter to set_font_for_control().
set_font_for_control() then calls strdup() on its font argument, and
frees label->font. In this case this causes font to point into freed
memory, causing a read use-after-free in the following strstr() and
strrchr() calls.

Fix the issue by only using the freshly strdup()'d new_font variable
after freeing label->font.

diff --git a/src/plugins/controls/label-freetype/plugin.c b/src/plugins/controls/label-freetype/plugin.c
index 2594c800ac771222364a8ebadd29016e15e98395..77dcedd3a5ecff14c1d8cd8435d5378a61b21c29 100644 (file)
--- a/src/plugins/controls/label-freetype/plugin.c
+++ b/src/plugins/controls/label-freetype/plugin.c
@@ -834,7 +834,7 @@ set_font_for_control (ply_label_plugin_control_t *label,
         free (label->font);
         label->font = new_font;
 
-        if (strstr (font, "Mono") || strstr (font, "mono")) {
+        if (strstr (new_font, "Mono") || strstr (new_font, "mono")) {
                 if (!label->is_monospaced) {
                         FT_Done_Face (label->face);
                         FT_Done_Face (label->bold_face);
@@ -889,7 +889,7 @@ set_font_for_control (ply_label_plugin_control_t *label,
 
         /* Format is "Family 1[,Family 2[,..]] [25[px]]" .
          * [] means optional. */
-        size_str = strrchr (font, ' ');
+        size_str = strrchr (new_font, ' ');
 
         if (size_str) {
                 unsigned long parsed_size;