diff options
author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-16 10:29:14 +0100 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-16 10:29:14 +0100 |
commit | 18e337ddf410accec5bdf18c5d28bbd5f3ace7cb (patch) | |
tree | 82cb3c7463d7f22d273f4710e6fa9aaf0fa45925 /nx-X11/lib/font/fontfile | |
parent | 26cfe931f864b92c4b6026002f37987c56665977 (diff) | |
download | nx-libs-18e337ddf410accec5bdf18c5d28bbd5f3ace7cb.tar.gz nx-libs-18e337ddf410accec5bdf18c5d28bbd5f3ace7cb.tar.bz2 nx-libs-18e337ddf410accec5bdf18c5d28bbd5f3ace7cb.zip |
Revert "Do proper input validation to fix for CVE-2011-2895."
This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
Diffstat (limited to 'nx-X11/lib/font/fontfile')
-rw-r--r-- | nx-X11/lib/font/fontfile/decompress.c | 31 |
1 files changed, 14 insertions, 17 deletions
diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c index 12b9f0a57..553b31585 100644 --- a/nx-X11/lib/font/fontfile/decompress.c +++ b/nx-X11/lib/font/fontfile/decompress.c @@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ #define FIRST 257 /* first free entry */ #define CLEAR 256 /* table clear output code */ -#define STACK_SIZE 65300 +#define STACK_SIZE 8192 typedef struct _compressedFILE { BufFilePtr file; @@ -180,12 +180,14 @@ BufFilePushCompressed (BufFilePtr f) file->tab_suffix[code] = (char_type) code; } file->free_ent = ((file->block_compress) ? FIRST : 256 ); - file->oldcode = -1; file->clear_flg = 0; file->offset = 0; file->size = 0; file->stackp = file->de_stack; bzero(file->buf, BITS); + file->finchar = file->oldcode = getcode (file); + if (file->oldcode != -1) + *file->stackp++ = file->finchar; return BufFileCreate ((char *) file, BufCompressedFill, 0, @@ -230,6 +232,9 @@ BufCompressedFill (BufFilePtr f) if (buf == bufend) break; + if (oldcode == -1) + break; + code = getcode (file); if (code == -1) break; @@ -238,34 +243,26 @@ BufCompressedFill (BufFilePtr f) for ( code = 255; code >= 0; code-- ) file->tab_prefix[code] = 0; file->clear_flg = 1; - file->free_ent = FIRST; - oldcode = -1; - continue; + file->free_ent = FIRST - 1; + if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ + break; } incode = code; /* * Special case for KwKwK string. */ if ( code >= file->free_ent ) { - if ( code > file->free_ent || oldcode == -1 ) { - /* Bad stream. */ - return BUFFILEEOF; - } *stackp++ = finchar; code = oldcode; } -+ /* -+ * The above condition ensures that code < free_ent. -+ * The construction of tab_prefixof in turn guarantees that -+ * each iteration decreases code and therefore stack usage is -+ * bound by 1 << BITS - 256. -+ */ - + /* * Generate output characters in reverse order */ while ( code >= 256 ) { + if (stackp - de_stack >= STACK_SIZE - 1) + return BUFFILEEOF; *stackp++ = file->tab_suffix[code]; code = file->tab_prefix[code]; } @@ -275,7 +272,7 @@ BufCompressedFill (BufFilePtr f) /* * Generate the new entry. */ - if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { + if ( (code=file->free_ent) < file->maxmaxcode ) { file->tab_prefix[code] = (unsigned short)oldcode; file->tab_suffix[code] = finchar; file->free_ent = code+1; |