bdf CVE-2007-1351

  BDFFont Parsing Integer Overflow Vulnerability

The discoverer of this vulnerability wishes to remain anonymous.

from matthieu@

1 files changed, 20 insertions, 3 deletions

diff --git a/lib/freetype/src/bdf/bdflib.c b/lib/freetype/src/bdf/bdflib.c
index 3c928e563..743c9c677 100644
--- a/lib/freetype/src/bdf/bdflib.c
+++ b/lib/freetype/src/bdf/bdflib.c
@@ -384,8 +384,10 @@
   } _bdf_parse_t;
 
 
-#define setsbit( m, cc )  ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
-#define sbitset( m, cc )  ( m[(cc) >> 3]  & ( 1 << ( (cc) & 7 ) ) )
+#define setsbit( m, cc ) \
+          ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
+#define sbitset( m, cc ) \
+          ( m[(FT_Byte)(cc) >> 3]  & ( 1 << ( (cc) & 7 ) ) )
 
 
   static void
@@ -1129,7 +1131,7 @@
                             bdf_options_t*  opts )
   {
     unsigned long  len;
-    char           name[128];
+    char           name[256];
     _bdf_list_t    list;
     FT_Memory      memory;
     FT_Error       error = BDF_Err_Ok;
@@ -1148,6 +1150,13 @@
     font->spacing = opts->font_spacing;
 
     len = (unsigned long)( ft_strlen( font->name ) + 1 );
+    /* Limit ourselves to 256 characters in the font name. */
+    if ( len >= 256 )
+    {
+      error = BDF_Err_Invalid_Argument;
+      goto Exit;
+    }
+
     FT_MEM_COPY( name, font->name, len );
 
     error = _bdf_list_split( &list, (char *)"-", name, len );
@@ -1482,6 +1491,14 @@
       if ( p->cnt == 0 )
         font->glyphs_size = 64;
 
+      /* Limit ourselves to 1,114,112 glyphs in the font (this is the */
+      /* number of code points available in Unicode).                 */
+      if ( p->cnt >= 1114112UL )
+      {
+        error = BDF_Err_Invalid_Argument;
+        goto Exit;
+      }
+
       if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) )
         goto Exit;