Protect against overly long strings

Checking against upper limit of USHRT_MAX must happen before truncating
size_t to int. On 64 bit systems with strings larger than 2 GB this
could otherwise lead to negative ints or ints smaller than USHRT_MAX.

In XParseColor this could lead to out of boundary access with strings
starting with a # (color sequence). A modulo 12 operation is performed
to validate the string length, but with an overflown length, the for
loop would eventually read behind terminating '\0' character.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

1 files changed, 4 insertions, 4 deletions

diff --git a/src/Font.c b/src/Font.c
index d4314e26..ae2cc1a0 100644
--- a/src/Font.c
+++ b/src/Font.c
@@ -656,7 +656,7 @@ int _XF86LoadQueryLocaleFont(
    XFontStruct **xfp,
    Font *fidp)
 {
-    int l;
+    size_t l;
     const char *charset, *p;
     char buf[256];
     XFontStruct *fs;
@@ -664,7 +664,7 @@ int _XF86LoadQueryLocaleFont(
 
     if (!name)
 	return 0;
-    l = (int) strlen(name);
+    l = strlen(name);
     if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
 	return 0;
     charset = NULL;
@@ -677,11 +677,11 @@ int _XF86LoadQueryLocaleFont(
 	charset = "ISO8859-1";
 	p = charset + 7;
     }
-    if (l - 2 - (p - charset) < 0)
+    if (l - 2 < p - charset)
 	return 0;
     if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
 	return 0;
-    if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
+    if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
 	return 0;
     strcpy(buf, name);
     strcpy(buf + l - 1, p + 1);