From 1a73d6828dfa03924f2d68644fb5b99afd9c78e2 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Mon, 13 Jul 2015 14:43:06 -0400 Subject: [PATCH] bdfReadCharacters: Allow negative DWIDTH values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fix for CVE-2015-1804 prevent DWIDTH to be negative. However, the spec states that "DWIDTH [...] is a vector indicating the position of the next glyph’s origin relative to the origin of this glyph." So negative values are correct. Found by trying to compile XTS. Signed-off-by: Benjamin Tissoires Reviewed-by: Peter Hutterer Signed-off-by: Alan Coopersmith --- src/bitmap/bdfread.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index a0ace8f..eccd7b7 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -426,7 +426,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, goto BAILOUT; } /* xCharInfo metrics are stored as INT16 */ - if ((wx < 0) || (wx > INT16_MAX)) { + if ((wx < INT16_MIN) || (wx > INT16_MAX)) { bdfError("character '%s' has out of range width, %d\n", charName, wx); goto BAILOUT; -- 2.1.0