Fix from X.Org for CVE-2008-0006 - PCF Font parser buffer overflow.

author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:44:50 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:44:50 +0000
commit: 63044a8336fea3ae7debede4e1888aaa68ea8b43 (patch)
tree: 03077a93d70c78f0795c7d843f48edfeb1b1578c /lib
parent: b26d7d4251e204dce314ef01b386545e58565618 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/libXfont/src/bitmap/pcfread.c b/lib/libXfont/src/bitmap/pcfread.c
index fd418496e..c5db2555b 100644
--- a/lib/libXfont/src/bitmap/pcfread.c
+++ b/lib/libXfont/src/bitmap/pcfread.c
@@ -588,6 +588,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
     pFont->info.lastRow = pcfGetINT16(file, format);
     pFont->info.defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (pFont->info.firstCol > pFont->info.lastCol ||
+       pFont->info.firstRow > pFont->info.lastRow ||
+       pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail;
 
     nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) *
 	(pFont->info.lastRow - pFont->info.firstRow + 1);
@@ -726,6 +729,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, FontFilePtr file)
     pFontInfo->lastRow = pcfGetINT16(file, format);
     pFontInfo->defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (pFontInfo->firstCol > pFontInfo->lastCol ||
+       pFontInfo->firstRow > pFontInfo->lastRow ||
+       pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail;
 
     nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) *
 	(pFontInfo->lastRow - pFontInfo->firstRow + 1);
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:44:50 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:44:50 +0000
commit	63044a8336fea3ae7debede4e1888aaa68ea8b43 (patch)
tree	03077a93d70c78f0795c7d843f48edfeb1b1578c /lib
parent	b26d7d4251e204dce314ef01b386545e58565618 (diff)