diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2015-02-06 15:50:45 -0800 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-03-28 09:15:32 -0400 |
commit | ad956b8d1970952639b87c0b3bae966277fd1a32 (patch) | |
tree | 5435627df2ec1e762756d6b1a02296ad13aadb48 | |
parent | 6bbd73827f301fbe93b96649b63355c2ee4b0b80 (diff) | |
download | vcxsrv-ad956b8d1970952639b87c0b3bae966277fd1a32.tar.gz vcxsrv-ad956b8d1970952639b87c0b3bae966277fd1a32.tar.bz2 vcxsrv-ad956b8d1970952639b87c0b3bae966277fd1a32.zip |
bdfReadProperties: property count needs range check [CVE-2015-1802]
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
-rw-r--r-- | libXfont/src/bitmap/bdfread.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libXfont/src/bitmap/bdfread.c b/libXfont/src/bitmap/bdfread.c index 914a0244e..638790854 100644 --- a/libXfont/src/bitmap/bdfread.c +++ b/libXfont/src/bitmap/bdfread.c @@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) bdfError("missing 'STARTPROPERTIES'\n"); return (FALSE); } - if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { + if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || + (nProps <= 0) || + (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { bdfError("bad 'STARTPROPERTIES'\n"); return (FALSE); } |