Integer overflow vulnerabilities

CVE-2007-1351: BDFFont Parsing Integer Overflow CVE-2007-1352: fonts.dir File Parsing Integer Overflow
author: Matthieu Herrb <matthieu@roadrock.(none)> 2007-04-03 15:45:21 +0200
committer: Matthieu Herrb <matthieu@roadrock.(none)> 2007-04-03 15:45:21 +0200
commit: e7a59cfb5d442d2965cfcffeff405a4b05591190 (patch)
tree: ed517ce0794f87a785f0b3e9889bb94eba474532 /src/fontfile/fontdir.c
parent: cc824e4f2c9a53a00b36a6f83bf065c363027087 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index aae1f2e..cf68a54 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -38,9 +38,17 @@ in this Software without prior written authorization from The Open Group.
 #include    <X11/fonts/fntfilst.h>
 #include    <X11/keysym.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 Bool
 FontFileInitTable (FontTablePtr table, int size)
 {
+    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) 
+	return FALSE;
     if (size)
     {
 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);
author	Matthieu Herrb <matthieu@roadrock.(none)>	2007-04-03 15:45:21 +0200
committer	Matthieu Herrb <matthieu@roadrock.(none)>	2007-04-03 15:45:21 +0200
commit	e7a59cfb5d442d2965cfcffeff405a4b05591190 (patch)
tree	ed517ce0794f87a785f0b3e9889bb94eba474532 /src/fontfile/fontdir.c
parent	cc824e4f2c9a53a00b36a6f83bf065c363027087 (diff)