diff options
author | Benjamin Tissoires <benjamin.tissoires@gmail.com> | 2015-07-13 14:43:06 -0400 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2015-07-28 16:06:57 -0700 |
commit | 1a73d6828dfa03924f2d68644fb5b99afd9c78e2 (patch) | |
tree | 4ac8d9c1027409c6b462578c3d31de713a45dd12 /src | |
parent | 159bfa4ec094e7d342c9b59c31bfea7dccbac58a (diff) |
bdfReadCharacters: Allow negative DWIDTH values
The fix for CVE-2015-1804 prevent DWIDTH to be negative.
However, the spec states that "DWIDTH [...] is a vector indicating the
position of the next glyph’s origin relative to the origin of this glyph."
So negative values are correct.
Found by trying to compile XTS.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/bitmap/bdfread.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index a0ace8f..eccd7b7 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -426,7 +426,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, goto BAILOUT; } /* xCharInfo metrics are stored as INT16 */ - if ((wx < 0) || (wx > INT16_MAX)) { + if ((wx < INT16_MIN) || (wx > INT16_MAX)) { bdfError("character '%s' has out of range width, %d\n", charName, wx); goto BAILOUT; |