fontdir CVE-2007-1352

fonts.dir File Parsing Integer Overflow Vulnerability The discoverer of this vulnerability wishes to remain anonymous. from matthieu@
author: Todd T. Fries <todd@cvs.openbsd.org> 2007-04-04 02:51:27 +0000
committer: Todd T. Fries <todd@cvs.openbsd.org> 2007-04-04 02:51:27 +0000
commit: 5bfbd6bdcd236c5fa0c7de44177b004892f9cb02 (patch)
tree: 3f10b0f82a1047db8d13afc833c2e38670c71c6d /lib/libXfont/src
parent: 7d901b3510e4bceeec0f1f8d2d41989fdf3356d2 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/libXfont/src/fontfile/fontdir.c b/lib/libXfont/src/fontfile/fontdir.c
index aae1f2e25..cf68a547c 100644
--- a/lib/libXfont/src/fontfile/fontdir.c
+++ b/lib/libXfont/src/fontfile/fontdir.c
@@ -38,9 +38,17 @@ in this Software without prior written authorization from The Open Group.
 #include    <X11/fonts/fntfilst.h>
 #include    <X11/keysym.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 Bool
 FontFileInitTable (FontTablePtr table, int size)
 {
+    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) 
+	return FALSE;
     if (size)
     {
 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);
author	Todd T. Fries <todd@cvs.openbsd.org>	2007-04-04 02:51:27 +0000
committer	Todd T. Fries <todd@cvs.openbsd.org>	2007-04-04 02:51:27 +0000
commit	5bfbd6bdcd236c5fa0c7de44177b004892f9cb02 (patch)
tree	3f10b0f82a1047db8d13afc833c2e38670c71c6d /lib/libXfont/src
parent	7d901b3510e4bceeec0f1f8d2d41989fdf3356d2 (diff)