aboutsummaryrefslogtreecommitdiff
path: root/libXfont/src
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2015-02-06 15:50:45 -0800
committerMike DePaulo <mikedep333@gmail.com>2015-03-28 13:05:57 -0400
commite195099b83a23182925f20028de3e9ea4fe64845 (patch)
treeaf382d3b851a95e90e05a71649af56044ec784e2 /libXfont/src
parent7e5f8b1f5a3cb6c7c9f784900f3b0b23215441bb (diff)
downloadvcxsrv-e195099b83a23182925f20028de3e9ea4fe64845.tar.gz
vcxsrv-e195099b83a23182925f20028de3e9ea4fe64845.tar.bz2
vcxsrv-e195099b83a23182925f20028de3e9ea4fe64845.zip
bdfReadProperties: property count needs range check [CVE-2015-1802]
Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
Diffstat (limited to 'libXfont/src')
-rw-r--r--libXfont/src/bitmap/bdfread.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/libXfont/src/bitmap/bdfread.c b/libXfont/src/bitmap/bdfread.c
index 914a0244e..638790854 100644
--- a/libXfont/src/bitmap/bdfread.c
+++ b/libXfont/src/bitmap/bdfread.c
@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
bdfError("missing 'STARTPROPERTIES'\n");
return (FALSE);
}
- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+ (nProps <= 0) ||
+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
bdfError("bad 'STARTPROPERTIES'\n");
return (FALSE);
}