You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001
|
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Date: Fri, 6 Feb 2015 15:50:45 -0800
|
|
Subject: bdfReadProperties: property count needs range check [CVE-2015-1802]
|
|
|
|
Avoid integer overflow or underflow when allocating memory arrays
|
|
by multiplying the number of properties reported for a BDF font.
|
|
|
|
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
|
|
index 914a024..6387908 100644
|
|
--- a/src/bitmap/bdfread.c
|
|
+++ b/src/bitmap/bdfread.c
|
|
@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
|
|
bdfError("missing 'STARTPROPERTIES'\n");
|
|
return (FALSE);
|
|
}
|
|
- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
|
|
+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
|
|
+ (nProps <= 0) ||
|
|
+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
|
|
bdfError("bad 'STARTPROPERTIES'\n");
|
|
return (FALSE);
|
|
}
|
|
--
|
|
cgit v0.10.2
|
|
|