aboutsummaryrefslogtreecommitdiff
path: root/libXfont/src/fontfile
diff options
context:
space:
mode:
Diffstat (limited to 'libXfont/src/fontfile')
-rw-r--r--libXfont/src/fontfile/dirfile.c4
-rw-r--r--libXfont/src/fontfile/fontdir.c5
2 files changed, 9 insertions, 0 deletions
diff --git a/libXfont/src/fontfile/dirfile.c b/libXfont/src/fontfile/dirfile.c
index c8aff6f4f..789fde5ff 100644
--- a/libXfont/src/fontfile/dirfile.c
+++ b/libXfont/src/fontfile/dirfile.c
@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
+#include <limits.h>
static Bool AddFileNameAliases ( FontDirectoryPtr dir );
static int ReadFontAlias ( char *directory, Bool isFile,
@@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken)
int nsize;
char *nbuf;
+ if (tokenSize >= (INT_MAX >> 2))
+ /* Stop before we overflow */
+ return EALLOC;
nsize = tokenSize ? (tokenSize << 1) : 64;
nbuf = realloc(tokenBuf, nsize);
if (!nbuf)
diff --git a/libXfont/src/fontfile/fontdir.c b/libXfont/src/fontfile/fontdir.c
index 97b2ba3b1..ce1595c8b 100644
--- a/libXfont/src/fontfile/fontdir.c
+++ b/libXfont/src/fontfile/fontdir.c
@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
if (table->sorted)
return (FontEntryPtr) 0; /* "cannot" happen */
if (table->used == table->size) {
+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
+ /* If we've read so many entries we're going to ask for 2gb
+ or more of memory, something is so wrong with this font
+ directory that we should just give up before we overflow. */
+ return NULL;
newsize = table->size + 100;
entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
if (!entry)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-20 15:20:59 +0000