diff options
| author | Todd T. Fries <todd@cvs.openbsd.org> | 2007-04-04 02:51:58 +0000 |
|---|---|---|
| committer | Todd T. Fries <todd@cvs.openbsd.org> | 2007-04-04 02:51:58 +0000 |
| commit | f773dae2ac3105a7bc111f88c9eb6e8930859c9d (patch) | |
| tree | 8bb54432ca6970144c8888e161e922881d2bb667 /lib | |
| parent | 5bfbd6bdcd236c5fa0c7de44177b004892f9cb02 (diff) | |
bdf CVE-2007-1351
BDFFont Parsing Integer Overflow Vulnerability
The discoverer of this vulnerability wishes to remain anonymous.
from matthieu@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libXfont/src/bitmap/bdfread.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/libXfont/src/bitmap/bdfread.c b/lib/libXfont/src/bitmap/bdfread.c index acb77e949..a6f0c1e7e 100644 --- a/lib/libXfont/src/bitmap/bdfread.c +++ b/lib/libXfont/src/bitmap/bdfread.c @@ -65,6 +65,12 @@ from The Open Group. #include <X11/fonts/bitmap.h> #include <X11/fonts/bdfint.h> +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(INT32_MAX) +#define INT32_MAX 0x7fffffff +#endif + #define INDICES 256 #define MAXENCODING 0xFFFF #define BDFLINELEN 1024 @@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, bdfError("invalid number of CHARS in BDF file\n"); return (FALSE); } + if (nchars > INT32_MAX / sizeof(CharInfoRec)) { + bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, + sizeof(CharInfoRec)); + goto BAILOUT; + } ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec)); if (!ci) { bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, |