summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-12-23 19:01:11 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-12-30 18:10:09 -0800
commit2a84680376bafd74609c6ef3e38befcb8467d814 (patch)
treede8f653585ef351c35d7c434da6e8c5616112cc8
parent4d024ac10f964f6bd372ae0dd14f02772a6e5f63 (diff)
Limit additional sscanf strings to fit buffer sizes
None of these could currently result in buffer overflow, as the input and output buffers were the same size, but adding limits helps ensure we keep it that way, if we ever resize any of these in the future. Fixes cppcheck warnings: [lib/libXfont/src/bitmap/bdfread.c:547]: (warning) scanf without field width limits can crash with huge input data. [lib/libXfont/src/bitmap/bdfread.c:553]: (warning) scanf without field width limits can crash with huge input data. [lib/libXfont/src/bitmap/bdfread.c:636]: (warning) scanf without field width limits can crash with huge input data. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-rw-r--r--src/bitmap/bdfread.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e11c5d2..914a024 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -69,6 +69,7 @@ from The Open Group.
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -544,13 +545,18 @@ bdfReadHeader(FontFilePtr file, bdfFileState *pState)
unsigned char lineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+ if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+ if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -633,7 +639,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLINESTR,
+ namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;