From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 6 Feb 2015 15:54:00 -0800 Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803] Previously would charge on ahead with a NULL pointer in ci->bits, and then crash later in FontCharInkMetrics() trying to access the bits. Found with afl-1.23b. Signed-off-by: Alan Coopersmith Reviewed-by: Julien Cristau --- src/bitmap/bdfread.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index 6387908..1b29b81 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, ci->metrics.descent = -bb; ci->metrics.characterWidth = wx; ci->bits = NULL; - bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); + if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { + bdfError("could not read bitmap for character '%s'\n", charName); + goto BAILOUT; + } ci++; ndx++; } else -- cgit v1.2.3