diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-04-25 23:01:11 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-05-12 23:31:08 -0700 |
| commit | 2f5e57317339c526e6eaee1010b0e2ab8089c42e (patch) | |
| tree | 71aa9cd77e8a0263b0a6b2c372c36f1de80ec8fc | |
| parent | 2a5111af9e03a55bd099c6c3a5b9a7fd3dfce76f (diff) | |
CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry()
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
| -rw-r--r-- | src/fontfile/fontdir.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index ef7ffa5..7271603 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) if (table->sorted) return (FontEntryPtr) 0; /* "cannot" happen */ if (table->used == table->size) { + if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) + /* If we've read so many entries we're going to ask for 2gb + or more of memory, something is so wrong with this font + directory that we should just give up before we overflow. */ + return NULL; newsize = table->size + 100; entry = realloc(table->entries, newsize * sizeof(FontEntryRec)); if (!entry) |