From 0a7f8d6fb481d2bd502b5f376a0dcef6f82ee0ff Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@gnome.org>
Date: Mon, 1 May 2006 14:45:56 +0000
Subject: =?UTF-8?q?Bug=20340229=20=E2=80=93=20pango=5Ffont=5Fdescription?=
 =?UTF-8?q?=5Ffrom=5Fstring=20does=20not=20do=20bound?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2006-05-01  Behdad Esfahbod  <behdad@gnome.org>

        Bug 340229 – pango_font_description_from_string does not do bound
        checking

        * pango/fonts.c (pango_font_description_set_size),
        (pango_font_description_set_absolute_size), (parse_size):
        * pango/pango-markup.c (span_parse_func): Don't accept negative font
        sizes, and make sure sizes don't overflow.
---
 pango/pango-markup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pango/pango-markup.c')

diff --git a/pango/pango-markup.c b/pango/pango-markup.c
index 5a5b67e0..afe8a933 100644
--- a/pango/pango-markup.c
+++ b/pango/pango-markup.c
@@ -997,7 +997,7 @@ span_parse_func     (MarkupData            *md,
 
           n = strtoul (size, &end, 10);
 
-          if (*end != '\0')
+          if (*end != '\0' || n < 0 || n > 1000000)
             {
               g_set_error (error,
                            G_MARKUP_ERROR,
-- 
cgit v1.2.1