diff options
| author | Alan Coopersmith <alan.coopersmith@sun.com> | 2006-09-22 11:36:43 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@sun.com> | 2006-09-22 11:36:43 -0700 |
| commit | 264df52d24f585915e0d9823d5f087cf23e3fc75 (patch) | |
| tree | dd7bcd628cb88e67207dbc2624b648894c3f5c51 | |
| parent | 0fb55cb86e2ec5dbfbf27a01ceafb77c72fe9f40 (diff) | |
| parent | d896c3eaeafdb8831ed0833af46250c36f82502f (diff) | |
Merge branch 'master' of git+ssh://git.freedesktop.org/git/xorg/lib/libXfont
| -rw-r--r-- | Makefile.am | 3 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | src/Type1/afm.c | 7 | ||||
| -rw-r--r-- | src/Type1/scanfont.c | 12 | ||||
| -rw-r--r-- | src/Type1/util.c | 2 |
5 files changed, 21 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index 544f0db..687e1d7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -49,8 +49,9 @@ EXTRA_DIST = xfont.pc.in autogen.sh include/X11/fonts/fontconf.h.in ChangeLog .PHONY: ChangeLog +CLEANFILES = ChangeLog ChangeLog: - GIT_DIR=${srcdir}/.git git-log > ChangeLog + git-log > ChangeLog dist-hook: ChangeLog diff --git a/configure.ac b/configure.ac index d165efa..f68f7e1 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,7 @@ dnl Process this file with autoconf to create configure. AC_PREREQ([2.57]) AC_INIT([libXfont], - 1.2.0, + 1.2.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], libXfont) dnl diff --git a/src/Type1/afm.c b/src/Type1/afm.c index b8ce2d3..006ff3c 100644 --- a/src/Type1/afm.c +++ b/src/Type1/afm.c @@ -37,6 +37,8 @@ #include <X11/fonts/fontmisc.h> /* for xalloc/xfree */ #include "AFM.h" +#include <limits.h> + #define PBUF 256 #define KBUF 20 @@ -118,6 +120,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) { fi->nChars = atoi(p); + if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { + xfree(afmbuf); + xfree(fi); + return(1); + } fi->metrics = (Metrics *)xalloc(fi->nChars * sizeof(Metrics)); if (fi->metrics == NULL) { diff --git a/src/Type1/scanfont.c b/src/Type1/scanfont.c index 04e3fe2..bc3c244 100644 --- a/src/Type1/scanfont.c +++ b/src/Type1/scanfont.c @@ -72,6 +72,8 @@ #include "spaces.h" #include "fontfcn.h" #include "blues.h" + +#include <limits.h> #if XFONT_CID #define CID_BUFSIZE 80 @@ -654,6 +656,7 @@ getFDArray(psobj *arrayP) arrayP->data.valueP = tokenStartP; /* allocate FDArray */ + /* No integer overflow since arrayP->len is unsigned short */ FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); @@ -850,7 +853,8 @@ BuildSubrs(psfont *FontP) } return(SCAN_OK); } - + if (N > INT_MAX / sizeof(psobj)) + return (SCAN_ERROR); arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); FontP->Subrs.len = N; @@ -911,7 +915,7 @@ BuildCharStrings(psfont *FontP) } else return(rc); /* if next token was not an Int */ } - if (N<=0) return(SCAN_ERROR); + if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); /* save number of entries in the dictionary */ dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); @@ -1719,6 +1723,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres *CMapP) if (tokenType == TOKEN_INTEGER) rangecnt = tokenValue.integer; + if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { + rc = SCAN_ERROR; + break; + } /* ==> tokenLength, tokenTooLong, tokenType, and */ /* tokenValue are now set */ diff --git a/src/Type1/util.c b/src/Type1/util.c index 5b6d5a8..7c5a81d 100644 --- a/src/Type1/util.c +++ b/src/Type1/util.c @@ -104,7 +104,7 @@ vm_alloc(int bytes) bytes = (bytes + 7) & ~7; /* Allocate the space, if it is available */ - if (bytes <= vm_free) { + if (bytes > 0 && bytes <= vm_free) { answer = vm_next; vm_free -= bytes; vm_next += bytes; |