From: Ferdinand Bachmann <ferdinand.bachmann@yrlf.at>
Date: Tue, 7 Oct 2025 20:16:45 +0000 (+0200)
Subject: label-freetype: fix UAF in set_font_for_control() with hidpi (scale_factor 2)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcf23c0adcb33cd3483cc952ad7d0ef083c2d80e;p=thirdparty%2Fplymouth.git

label-freetype: fix UAF in set_font_for_control() with hidpi (scale_factor 2)

On hidpi screens, label-freetype will trigger a use-after-free in
set_font_for_control() via the call in update_scale_factor_from_pixel_buffer().

That call passes label->font as the font parameter to set_font_for_control().
set_font_for_control() then calls strdup() on its font argument, and
frees label->font. In this case this causes font to point into freed
memory, causing a read use-after-free in the following strstr() and
strrchr() calls.

Fix the issue by only using the freshly strdup()'d new_font variable
after freeing label->font.
---

diff --git a/src/plugins/controls/label-freetype/plugin.c b/src/plugins/controls/label-freetype/plugin.c
index 2594c800..77dcedd3 100644
--- a/src/plugins/controls/label-freetype/plugin.c
+++ b/src/plugins/controls/label-freetype/plugin.c
@@ -834,7 +834,7 @@ set_font_for_control (ply_label_plugin_control_t *label,
         free (label->font);
         label->font = new_font;
 
-        if (strstr (font, "Mono") || strstr (font, "mono")) {
+        if (strstr (new_font, "Mono") || strstr (new_font, "mono")) {
                 if (!label->is_monospaced) {
                         FT_Done_Face (label->face);
                         FT_Done_Face (label->bold_face);
@@ -889,7 +889,7 @@ set_font_for_control (ply_label_plugin_control_t *label,
 
         /* Format is "Family 1[,Family 2[,..]] [25[px]]" .
          * [] means optional. */
-        size_str = strrchr (font, ' ');
+        size_str = strrchr (new_font, ' ');
 
         if (size_str) {
                 unsigned long parsed_size;