From 0a7f8d6fb481d2bd502b5f376a0dcef6f82ee0ff Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@gnome.org>
Date: Mon, 1 May 2006 14:45:56 +0000
Subject: =?UTF-8?q?Bug=20340229=20=E2=80=93=20pango=5Ffont=5Fdescription?=
 =?UTF-8?q?=5Ffrom=5Fstring=20does=20not=20do=20bound?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2006-05-01  Behdad Esfahbod  <behdad@gnome.org>

        Bug 340229 – pango_font_description_from_string does not do bound
        checking

        * pango/fonts.c (pango_font_description_set_size),
        (pango_font_description_set_absolute_size), (parse_size):
        * pango/pango-markup.c (span_parse_func): Don't accept negative font
        sizes, and make sure sizes don't overflow.
---
 ChangeLog            | 10 ++++++++++
 pango/fonts.c        |  4 +++-
 pango/pango-markup.c |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3bb66718..39c5cf3a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2006-05-01  Behdad Esfahbod  <behdad@gnome.org>
+
+	Bug 340229 – pango_font_description_from_string does not do bound
+	checking
+
+	* pango/fonts.c (pango_font_description_set_size),
+	(pango_font_description_set_absolute_size), (parse_size):
+	* pango/pango-markup.c (span_parse_func): Don't accept negative font
+	sizes, and make sure sizes don't overflow.
+
 2006-04-29  Behdad Esfahbod  <behdad@gnome.org>
 
 	* configure.in: Require cairo >= 1.1.2.  Also pass -no-undefined on all
diff --git a/pango/fonts.c b/pango/fonts.c
index 59da712a..83cc05d9 100644
--- a/pango/fonts.c
+++ b/pango/fonts.c
@@ -348,6 +348,7 @@ pango_font_description_set_size (PangoFontDescription *desc,
 				 gint                  size)
 {
   g_return_if_fail (desc != NULL);
+  g_return_if_fail (size >= 0);
   
   desc->size = size;
   desc->size_is_absolute = FALSE;
@@ -392,6 +393,7 @@ pango_font_description_set_absolute_size (PangoFontDescription *desc,
 					  double                size)
 {
   g_return_if_fail (desc != NULL);
+  g_return_if_fail (size >= 0);
   
   desc->size = size;
   desc->size_is_absolute = TRUE;
@@ -849,7 +851,7 @@ parse_size (const char *word,
   char *end;
   double size = g_ascii_strtod (word, &end);
 
-  if ((size_t)(end - word) == wordlen) /* word is a valid float */
+  if ((size_t)(end - word) == wordlen && size >= 0 && size <= 1000000) /* word is a valid float */
     {
       if (pango_size)
 	*pango_size = (int)(size * PANGO_SCALE + 0.5);
diff --git a/pango/pango-markup.c b/pango/pango-markup.c
index 5a5b67e0..afe8a933 100644
--- a/pango/pango-markup.c
+++ b/pango/pango-markup.c
@@ -997,7 +997,7 @@ span_parse_func     (MarkupData            *md,
 
           n = strtoul (size, &end, 10);
 
-          if (*end != '\0')
+          if (*end != '\0' || n < 0 || n > 1000000)
             {
               g_set_error (error,
                            G_MARKUP_ERROR,
-- 
cgit v1.2.1