From de7bfbf0e61cdbe5e5c094d8a237cdc87e8b1fc3 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 6 Feb 2015 15:54:00 -0800 Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803] Previously would charge on ahead with a NULL pointer in ci->bits, and then crash later in FontCharInkMetrics() trying to access the bits. Found with afl-1.23b. Signed-off-by: Alan Coopersmith Reviewed-by: Julien Cristau (cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c) --- libXfont/src/bitmap/bdfread.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libXfont/src/bitmap/bdfread.c b/libXfont/src/bitmap/bdfread.c index 638790854..1b29b81c9 100644 --- a/libXfont/src/bitmap/bdfread.c +++ b/libXfont/src/bitmap/bdfread.c @@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, ci->metrics.descent = -bb; ci->metrics.characterWidth = wx; ci->bits = NULL; - bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); + if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { + bdfError("could not read bitmap for character '%s'\n", charName); + goto BAILOUT; + } ci++; ndx++; } else -- cgit v1.2.3