Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 114802 Details for
Bug 172575
x11-libs/libXfont BDF Font Parsing and xc-misc Integer Overflow (CVE-2007-{135{1|2}|1003})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
libXfontIDEF739IDEF741.diff
libXfontIDEF739IDEF741.diff (text/plain), 1.50 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2007-03-28 17:28:28 UTC
(
hide
)
Description:
libXfontIDEF739IDEF741.diff
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2007-03-28 17:28:28 UTC
Size:
1.50 KB
patch
obsolete
>diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c >index acb77e9..a6f0c1e 100644 >--- a/src/bitmap/bdfread.c >+++ b/src/bitmap/bdfread.c >@@ -65,6 +65,12 @@ from The Open Group. > #include <X11/fonts/bitmap.h> > #include <X11/fonts/bdfint.h> > >+#if HAVE_STDINT_H >+#include <stdint.h> >+#elif !defined(INT32_MAX) >+#define INT32_MAX 0x7fffffff >+#endif >+ > #define INDICES 256 > #define MAXENCODING 0xFFFF > #define BDFLINELEN 1024 >@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, > bdfError("invalid number of CHARS in BDF file\n"); > return (FALSE); > } >+ if (nchars > INT32_MAX / sizeof(CharInfoRec)) { >+ bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, >+ sizeof(CharInfoRec)); >+ goto BAILOUT; >+ } > ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec)); > if (!ci) { > bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, >diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c >index aae1f2e..cf68a54 100644 >--- a/src/fontfile/fontdir.c >+++ b/src/fontfile/fontdir.c >@@ -38,9 +38,17 @@ in this Software without prior written authorization from The Open Group. > #include <X11/fonts/fntfilst.h> > #include <X11/keysym.h> > >+#if HAVE_STDINT_H >+#include <stdint.h> >+#elif !defined(INT32_MAX) >+#define INT32_MAX 0x7fffffff >+#endif >+ > Bool > FontFileInitTable (FontTablePtr table, int size) > { >+ if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) >+ return FALSE; > if (size) > { > table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 172575
: 114802 |
114804
|
114864