From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 6 Feb 2015 15:50:45 -0800 Subject: bdfReadProperties: property count needs range check [CVE-2015-1802] Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Julien Cristau --- src/bitmap/bdfread.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index 914a024..6387908 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) bdfError("missing 'STARTPROPERTIES'\n"); return (FALSE); } - if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { + if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || + (nProps <= 0) || + (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { bdfError("bad 'STARTPROPERTIES'\n"); return (FALSE); } -- cgit v1.2.3