diff options
author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2006-07-23 22:42:43 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@reactor.herrb.com> | 2006-07-23 22:42:43 +0200 |
commit | 8d171fe61e564d8ed8f75034d4191062cecf190b (patch) | |
tree | 1a9ddaeca0f119e6d186e9c008198be12069d7ba /src/bitmap/pcfread.c | |
parent | fead0fa3bae0ba5a4744d6a2aee1caa08019f344 (diff) |
More check on PCF file reading. Bugzilla #7535
Diffstat (limited to 'src/bitmap/pcfread.c')
-rw-r--r-- | src/bitmap/pcfread.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c index dd76868..6210f18 100644 --- a/src/bitmap/pcfread.c +++ b/src/bitmap/pcfread.c @@ -45,6 +45,7 @@ from The Open Group. #endif #include <stdarg.h> +#include <stdint.h> void pcfError(const char* message, ...) @@ -133,6 +134,10 @@ pcfReadTOC(FontFilePtr file, int *countp) return (PCFTablePtr) NULL; count = pcfGetLSB32(file); if (IS_EOF(file)) return (PCFTablePtr) NULL; + if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) { + pcfError("pcfReadTOC(): invalid file format\n"); + return NULL; + } tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec)); if (!tables) { pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec)); @@ -252,6 +257,10 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file, if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT)) goto Bail; nprops = pcfGetINT32(file, format); + if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) { + pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops); + goto Bail; + } if (IS_EOF(file)) goto Bail; props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec)); if (!props) { @@ -267,6 +276,13 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file, props[i].name = pcfGetINT32(file, format); isStringProp[i] = pcfGetINT8(file, format); props[i].value = pcfGetINT32(file, format); + if (props[i].name < 0 + || (isStringProp[i] != 0 && isStringProp[i] != 1) + || (isStringProp[i] && props[i].value < 0)) { + pcfError("pcfGetProperties(): invalid file format %d %d %d\n", + props[i].name, isStringProp[i], props[i].value); + goto Bail; + } if (IS_EOF(file)) goto Bail; } /* pad the property array */ @@ -282,6 +298,7 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file, } if (IS_EOF(file)) goto Bail; string_size = pcfGetINT32(file, format); + if (string_size < 0) goto Bail; if (IS_EOF(file)) goto Bail; strings = (char *) xalloc(string_size); if (!strings) { @@ -422,6 +439,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr file, else nmetrics = pcfGetINT16(file, format); if (IS_EOF(file)) goto Bail; + if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { + pcfError("pcfReadFont(): invalid file format\n"); + goto Bail; + } metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); if (!metrics) { pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); @@ -447,7 +468,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr file, nbitmaps = pcfGetINT32(file, format); if (nbitmaps != nmetrics || IS_EOF(file)) goto Bail; - + /* nmetrics is alreadt ok, so nbitmap also is */ offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32)); if (!offsets) { pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32)); @@ -461,6 +482,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr file, for (i = 0; i < GLYPHPADOPTIONS; i++) { bitmapSizes[i] = pcfGetINT32(file, format); if (IS_EOF(file)) goto Bail; + if (bitmapSizes[i] < 0) goto Bail; } sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)]; @@ -536,6 +558,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr file, if (IS_EOF(file)) goto Bail; if (nink_metrics != nmetrics) goto Bail; + /* nmetrics already checked */ ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo)); if (!ink_metrics) { pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo)); @@ -809,6 +832,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr file, else nmetrics = pcfGetINT16(file, format); if (IS_EOF(file)) goto Bail; + if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { + pcfError("pmfReadFont(): invalid file format\n"); + goto Bail; + } metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); if (!metrics) { pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); |