diff options
author | Matthieu Herrb <matthieu@roadrock.(none)> | 2007-04-03 15:45:21 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@roadrock.(none)> | 2007-04-03 15:45:21 +0200 |
commit | e7a59cfb5d442d2965cfcffeff405a4b05591190 (patch) | |
tree | ed517ce0794f87a785f0b3e9889bb94eba474532 /src/bitmap | |
parent | cc824e4f2c9a53a00b36a6f83bf065c363027087 (diff) | |
download | xorg-lib-libXfont-e7a59cfb5d442d2965cfcffeff405a4b05591190.tar.gz |
Integer overflow vulnerabilities
CVE-2007-1351: BDFFont Parsing Integer Overflow
CVE-2007-1352: fonts.dir File Parsing Integer Overflow
Diffstat (limited to 'src/bitmap')
-rw-r--r-- | src/bitmap/bdfread.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index acb77e9..a6f0c1e 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -65,6 +65,12 @@ from The Open Group. #include <X11/fonts/bitmap.h> #include <X11/fonts/bdfint.h> +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(INT32_MAX) +#define INT32_MAX 0x7fffffff +#endif + #define INDICES 256 #define MAXENCODING 0xFFFF #define BDFLINELEN 1024 @@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, bdfError("invalid number of CHARS in BDF file\n"); return (FALSE); } + if (nchars > INT32_MAX / sizeof(CharInfoRec)) { + bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, + sizeof(CharInfoRec)); + goto BAILOUT; + } ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec)); if (!ci) { bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, |