diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-04-25 23:02:54 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-05-12 23:32:04 -0700 |
commit | a42f707f8a62973f5e8bbcd08afb10a79e9cee33 (patch) | |
tree | 107ccd690a0cafc1435e21d6029a03773bef712f | |
parent | c578408c1fd4db09e4e3173f8a9e65c81cc187c1 (diff) |
CVE-2014-0211: integer overflow in fs_alloc_glyphs()
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
-rw-r--r-- | src/fc/fsconvert.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c index dfa1317..18b0c0d 100644 --- a/src/fc/fsconvert.c +++ b/src/fc/fsconvert.c @@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size) FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - glyphs = malloc (sizeof (FSGlyphRec) + size); + if (size < (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); + else + glyphs = NULL; + if (glyphs == NULL) + return NULL; glyphs->next = fsfont->glyphs; fsfont->glyphs = glyphs; return (pointer) (glyphs + 1); |