|
 |
9950e3 |
From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001
|
|
|
9950e3 |
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
9950e3 |
Date: Fri, 6 Mar 2015 22:54:58 -0800
|
|
|
9950e3 |
Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct
|
|
|
9950e3 |
[CVE-2015-1804]
|
|
|
9950e3 |
|
|
|
9950e3 |
We use 32-bit ints to read from the bdf file, but then try to stick
|
|
|
9950e3 |
into a 16-bit int in the xCharInfo struct, so make sure they won't
|
|
|
9950e3 |
overflow that range.
|
|
|
9950e3 |
|
|
|
9950e3 |
Found by afl-1.24b.
|
|
|
9950e3 |
|
|
|
9950e3 |
v2: Verify that additions won't overflow 32-bit int range either.
|
|
|
9950e3 |
v3: As Julien correctly observes, the previous check for bh & bw not
|
|
|
9950e3 |
being < 0 reduces the number of cases we need to check for overflow.
|
|
|
9950e3 |
|
|
|
9950e3 |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
9950e3 |
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
|
9950e3 |
|
|
|
9950e3 |
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
|
|
|
9950e3 |
index 1b29b81..a0ace8f 100644
|
|
|
9950e3 |
--- a/src/bitmap/bdfread.c
|
|
|
9950e3 |
+++ b/src/bitmap/bdfread.c
|
|
|
9950e3 |
@@ -62,8 +62,16 @@ from The Open Group.
|
|
|
9950e3 |
|
|
|
9950e3 |
#if HAVE_STDINT_H
|
|
|
9950e3 |
#include <stdint.h>
|
|
|
9950e3 |
-#elif !defined(INT32_MAX)
|
|
|
9950e3 |
-#define INT32_MAX 0x7fffffff
|
|
|
9950e3 |
+#else
|
|
|
9950e3 |
+# ifndef INT32_MAX
|
|
|
9950e3 |
+# define INT32_MAX 0x7fffffff
|
|
|
9950e3 |
+# endif
|
|
|
9950e3 |
+# ifndef INT16_MAX
|
|
|
9950e3 |
+# define INT16_MAX 0x7fff
|
|
|
9950e3 |
+# endif
|
|
|
9950e3 |
+# ifndef INT16_MIN
|
|
|
9950e3 |
+# define INT16_MIN (0 - 0x8000)
|
|
|
9950e3 |
+# endif
|
|
|
9950e3 |
#endif
|
|
|
9950e3 |
|
|
|
9950e3 |
#define INDICES 256
|
|
|
9950e3 |
@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
|
|
|
9950e3 |
bdfError("DWIDTH y value must be zero\n");
|
|
|
9950e3 |
goto BAILOUT;
|
|
|
9950e3 |
}
|
|
|
9950e3 |
+ /* xCharInfo metrics are stored as INT16 */
|
|
|
9950e3 |
+ if ((wx < 0) || (wx > INT16_MAX)) {
|
|
|
9950e3 |
+ bdfError("character '%s' has out of range width, %d\n",
|
|
|
9950e3 |
+ charName, wx);
|
|
|
9950e3 |
+ goto BAILOUT;
|
|
|
9950e3 |
+ }
|
|
|
9950e3 |
line = bdfGetLine(file, lineBuf, BDFLINELEN);
|
|
|
9950e3 |
if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
|
|
|
9950e3 |
bdfError("bad 'BBX'\n");
|
|
|
9950e3 |
@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
|
|
|
9950e3 |
charName, bw, bh);
|
|
|
9950e3 |
goto BAILOUT;
|
|
|
9950e3 |
}
|
|
|
9950e3 |
+ /* xCharInfo metrics are read as int, but stored as INT16 */
|
|
|
9950e3 |
+ if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
|
|
|
9950e3 |
+ (bb > INT16_MAX) || (bb < INT16_MIN) ||
|
|
|
9950e3 |
+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
|
|
|
9950e3 |
+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
|
|
|
9950e3 |
+ charName, bl, (bl+bw), (bh+bb), -bb);
|
|
|
9950e3 |
+ goto BAILOUT;
|
|
|
9950e3 |
+ }
|
|
|
9950e3 |
line = bdfGetLine(file, lineBuf, BDFLINELEN);
|
|
|
9950e3 |
if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
|
|
|
9950e3 |
for (p = line + strlen("ATTRIBUTES ");
|
|
|
9950e3 |
--
|
|
|
9950e3 |
cgit v0.10.2
|
|
|
9950e3 |
|