|
|
5ffec6 |
From 1a73d6828dfa03924f2d68644fb5b99afd9c78e2 Mon Sep 17 00:00:00 2001
|
|
|
5ffec6 |
From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
|
|
|
5ffec6 |
Date: Mon, 13 Jul 2015 14:43:06 -0400
|
|
|
5ffec6 |
Subject: [PATCH] bdfReadCharacters: Allow negative DWIDTH values
|
|
|
5ffec6 |
MIME-Version: 1.0
|
|
|
5ffec6 |
Content-Type: text/plain; charset=UTF-8
|
|
|
5ffec6 |
Content-Transfer-Encoding: 8bit
|
|
|
5ffec6 |
|
|
|
5ffec6 |
The fix for CVE-2015-1804 prevent DWIDTH to be negative.
|
|
|
5ffec6 |
However, the spec states that "DWIDTH [...] is a vector indicating the
|
|
|
5ffec6 |
position of the next glyph’s origin relative to the origin of this glyph."
|
|
|
5ffec6 |
|
|
|
5ffec6 |
So negative values are correct.
|
|
|
5ffec6 |
|
|
|
5ffec6 |
Found by trying to compile XTS.
|
|
|
5ffec6 |
|
|
|
5ffec6 |
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
|
|
|
5ffec6 |
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
5ffec6 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
5ffec6 |
---
|
|
|
5ffec6 |
src/bitmap/bdfread.c | 2 +-
|
|
|
5ffec6 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
5ffec6 |
|
|
|
5ffec6 |
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
|
|
|
5ffec6 |
index a0ace8f..eccd7b7 100644
|
|
|
5ffec6 |
--- a/src/bitmap/bdfread.c
|
|
|
5ffec6 |
+++ b/src/bitmap/bdfread.c
|
|
|
5ffec6 |
@@ -426,7 +426,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
|
|
|
5ffec6 |
goto BAILOUT;
|
|
|
5ffec6 |
}
|
|
|
5ffec6 |
/* xCharInfo metrics are stored as INT16 */
|
|
|
5ffec6 |
- if ((wx < 0) || (wx > INT16_MAX)) {
|
|
|
5ffec6 |
+ if ((wx < INT16_MIN) || (wx > INT16_MAX)) {
|
|
|
5ffec6 |
bdfError("character '%s' has out of range width, %d\n",
|
|
|
5ffec6 |
charName, wx);
|
|
|
5ffec6 |
goto BAILOUT;
|
|
|
5ffec6 |
--
|
|
|
5ffec6 |
2.1.0
|
|
|
5ffec6 |
|