bdf CVE-2007-1351

BDFFont Parsing Integer Overflow Vulnerability The discoverer of this vulnerability wishes to remain anonymous. from matthieu@
author: Todd T. Fries <todd@cvs.openbsd.org> 2007-04-04 02:51:58 +0000
committer: Todd T. Fries <todd@cvs.openbsd.org> 2007-04-04 02:51:58 +0000
commit: f773dae2ac3105a7bc111f88c9eb6e8930859c9d (patch)
tree: 8bb54432ca6970144c8888e161e922881d2bb667 /lib/libXfont
parent: 5bfbd6bdcd236c5fa0c7de44177b004892f9cb02 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/libXfont/src/bitmap/bdfread.c b/lib/libXfont/src/bitmap/bdfread.c
index acb77e949..a6f0c1e7e 100644
--- a/lib/libXfont/src/bitmap/bdfread.c
+++ b/lib/libXfont/src/bitmap/bdfread.c
@@ -65,6 +65,12 @@ from The Open Group.
 #include <X11/fonts/bitmap.h>
 #include <X11/fonts/bdfint.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	bdfError("invalid number of CHARS in BDF file\n");
 	return (FALSE);
     }
+    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
+	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
+		 sizeof(CharInfoRec));
+	goto BAILOUT;
+    }
     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
     if (!ci) {
 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
author	Todd T. Fries <todd@cvs.openbsd.org>	2007-04-04 02:51:58 +0000
committer	Todd T. Fries <todd@cvs.openbsd.org>	2007-04-04 02:51:58 +0000
commit	f773dae2ac3105a7bc111f88c9eb6e8930859c9d (patch)
tree	8bb54432ca6970144c8888e161e922881d2bb667 /lib/libXfont
parent	5bfbd6bdcd236c5fa0c7de44177b004892f9cb02 (diff)