From f773dae2ac3105a7bc111f88c9eb6e8930859c9d Mon Sep 17 00:00:00 2001
From: "Todd T. Fries" <todd@cvs.openbsd.org>
Date: Wed, 4 Apr 2007 02:51:58 +0000
Subject: bdf CVE-2007-1351

  BDFFont Parsing Integer Overflow Vulnerability

The discoverer of this vulnerability wishes to remain anonymous.

from matthieu@
---
 lib/libXfont/src/bitmap/bdfread.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'lib/libXfont')

diff --git a/lib/libXfont/src/bitmap/bdfread.c b/lib/libXfont/src/bitmap/bdfread.c
index acb77e949..a6f0c1e7e 100644
--- a/lib/libXfont/src/bitmap/bdfread.c
+++ b/lib/libXfont/src/bitmap/bdfread.c
@@ -65,6 +65,12 @@ from The Open Group.
 #include <X11/fonts/bitmap.h>
 #include <X11/fonts/bdfint.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	bdfError("invalid number of CHARS in BDF file\n");
 	return (FALSE);
     }
+    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
+	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
+		 sizeof(CharInfoRec));
+	goto BAILOUT;
+    }
     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
     if (!ci) {
 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
-- 
cgit v1.2.3