From e7a59cfb5d442d2965cfcffeff405a4b05591190 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Tue, 3 Apr 2007 15:45:21 +0200 Subject: Integer overflow vulnerabilities CVE-2007-1351: BDFFont Parsing Integer Overflow CVE-2007-1352: fonts.dir File Parsing Integer Overflow --- src/bitmap/bdfread.c | 11 +++++++++++ src/fontfile/fontdir.c | 8 ++++++++ 2 files changed, 19 insertions(+) diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index acb77e9..a6f0c1e 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -65,6 +65,12 @@ from The Open Group. #include #include +#if HAVE_STDINT_H +#include +#elif !defined(INT32_MAX) +#define INT32_MAX 0x7fffffff +#endif + #define INDICES 256 #define MAXENCODING 0xFFFF #define BDFLINELEN 1024 @@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, bdfError("invalid number of CHARS in BDF file\n"); return (FALSE); } + if (nchars > INT32_MAX / sizeof(CharInfoRec)) { + bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, + sizeof(CharInfoRec)); + goto BAILOUT; + } ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec)); if (!ci) { bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index aae1f2e..cf68a54 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -38,9 +38,17 @@ in this Software without prior written authorization from The Open Group. #include #include +#if HAVE_STDINT_H +#include +#elif !defined(INT32_MAX) +#define INT32_MAX 0x7fffffff +#endif + Bool FontFileInitTable (FontTablePtr table, int size) { + if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) + return FALSE; if (size) { table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size); -- cgit v1.2.3