fix from matthieu@ as applied upstream for CVE-2011-2895

ok deraadt@
author: Todd T. Fries <todd@cvs.openbsd.org> 2011-08-11 15:29:03 +0000
committer: Todd T. Fries <todd@cvs.openbsd.org> 2011-08-11 15:29:03 +0000
commit: 4fb2f769ab80d79b4e1730b1688ee21b130596ed (patch)
tree: 4f03e34011182a507c9d0ebbe100a388b7c4f840 /lib
parent: 23d049ba2ba5f68abd11e72b60fb46654b51ffa7 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/libXfont/src/fontfile/decompress.c b/lib/libXfont/src/fontfile/decompress.c
index b1fc37b85..c8171dd4a 100644
--- a/lib/libXfont/src/fontfile/decompress.c
+++ b/lib/libXfont/src/fontfile/decompress.c
@@ -259,6 +259,8 @@ BufCompressedFill (BufFilePtr f)
      	 */
     	while ( code >= 256 )
     	{
+	    if (stackp - de_stack >= STACK_SIZE - 1)
+		return BUFFILEEOF;
 	    *stackp++ = file->tab_suffix[code];
 	    code = file->tab_prefix[code];
     	}
author	Todd T. Fries <todd@cvs.openbsd.org>	2011-08-11 15:29:03 +0000
committer	Todd T. Fries <todd@cvs.openbsd.org>	2011-08-11 15:29:03 +0000
commit	4fb2f769ab80d79b4e1730b1688ee21b130596ed (patch)
tree	4f03e34011182a507c9d0ebbe100a388b7c4f840 /lib
parent	23d049ba2ba5f68abd11e72b60fb46654b51ffa7 (diff)