You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
|
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Date: Fri, 6 Feb 2015 15:54:00 -0800
|
|
Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read
|
|
[CVE-2015-1803]
|
|
|
|
Previously would charge on ahead with a NULL pointer in ci->bits, and
|
|
then crash later in FontCharInkMetrics() trying to access the bits.
|
|
|
|
Found with afl-1.23b.
|
|
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
|
|
index 6387908..1b29b81 100644
|
|
--- a/src/bitmap/bdfread.c
|
|
+++ b/src/bitmap/bdfread.c
|
|
@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
|
|
ci->metrics.descent = -bb;
|
|
ci->metrics.characterWidth = wx;
|
|
ci->bits = NULL;
|
|
- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
|
|
+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
|
|
+ bdfError("could not read bitmap for character '%s'\n", charName);
|
|
+ goto BAILOUT;
|
|
+ }
|
|
ci++;
|
|
ndx++;
|
|
} else
|
|
--
|
|
cgit v0.10.2
|
|
|