aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/font/fontfile
diff options
context:
space:
mode:
authorMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-16 10:29:14 +0100
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-16 10:29:14 +0100
commit18e337ddf410accec5bdf18c5d28bbd5f3ace7cb (patch)
tree82cb3c7463d7f22d273f4710e6fa9aaf0fa45925 /nx-X11/lib/font/fontfile
parent26cfe931f864b92c4b6026002f37987c56665977 (diff)
downloadnx-libs-18e337ddf410accec5bdf18c5d28bbd5f3ace7cb.tar.gz
nx-libs-18e337ddf410accec5bdf18c5d28bbd5f3ace7cb.tar.bz2
nx-libs-18e337ddf410accec5bdf18c5d28bbd5f3ace7cb.zip
Revert "Do proper input validation to fix for CVE-2011-2895."
This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
Diffstat (limited to 'nx-X11/lib/font/fontfile')
-rw-r--r--nx-X11/lib/font/fontfile/decompress.c31
1 files changed, 14 insertions, 17 deletions
diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
index 12b9f0a57..553b31585 100644
--- a/nx-X11/lib/font/fontfile/decompress.c
+++ b/nx-X11/lib/font/fontfile/decompress.c
@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */
#define FIRST 257 /* first free entry */
#define CLEAR 256 /* table clear output code */
-#define STACK_SIZE 65300
+#define STACK_SIZE 8192
typedef struct _compressedFILE {
BufFilePtr file;
@@ -180,12 +180,14 @@ BufFilePushCompressed (BufFilePtr f)
file->tab_suffix[code] = (char_type) code;
}
file->free_ent = ((file->block_compress) ? FIRST : 256 );
- file->oldcode = -1;
file->clear_flg = 0;
file->offset = 0;
file->size = 0;
file->stackp = file->de_stack;
bzero(file->buf, BITS);
+ file->finchar = file->oldcode = getcode (file);
+ if (file->oldcode != -1)
+ *file->stackp++ = file->finchar;
return BufFileCreate ((char *) file,
BufCompressedFill,
0,
@@ -230,6 +232,9 @@ BufCompressedFill (BufFilePtr f)
if (buf == bufend)
break;
+ if (oldcode == -1)
+ break;
+
code = getcode (file);
if (code == -1)
break;
@@ -238,34 +243,26 @@ BufCompressedFill (BufFilePtr f)
for ( code = 255; code >= 0; code-- )
file->tab_prefix[code] = 0;
file->clear_flg = 1;
- file->free_ent = FIRST;
- oldcode = -1;
- continue;
+ file->free_ent = FIRST - 1;
+ if ( (code = getcode (file)) == -1 ) /* O, untimely death! */
+ break;
}
incode = code;
/*
* Special case for KwKwK string.
*/
if ( code >= file->free_ent ) {
- if ( code > file->free_ent || oldcode == -1 ) {
- /* Bad stream. */
- return BUFFILEEOF;
- }
*stackp++ = finchar;
code = oldcode;
}
-+ /*
-+ * The above condition ensures that code < free_ent.
-+ * The construction of tab_prefixof in turn guarantees that
-+ * each iteration decreases code and therefore stack usage is
-+ * bound by 1 << BITS - 256.
-+ */
-
+
/*
* Generate output characters in reverse order
*/
while ( code >= 256 )
{
+ if (stackp - de_stack >= STACK_SIZE - 1)
+ return BUFFILEEOF;
*stackp++ = file->tab_suffix[code];
code = file->tab_prefix[code];
}
@@ -275,7 +272,7 @@ BufCompressedFill (BufFilePtr f)
/*
* Generate the new entry.
*/
- if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) {
+ if ( (code=file->free_ent) < file->maxmaxcode ) {
file->tab_prefix[code] = (unsigned short)oldcode;
file->tab_suffix[code] = finchar;
file->free_ent = code+1;