Attachment #95407 for bug #145513

Lines 37-42 #endif Link Here

(-)a/src/Type1/afm.c (+7 lines)
37	#include <X11/fonts/fontmisc.h> /* for xalloc/xfree */	37	#include <X11/fonts/fontmisc.h> /* for xalloc/xfree */
38	#include "AFM.h"	38	#include "AFM.h"
39		39
		40	#include <limits.h>
		41
40	#define PBUF 256	42	#define PBUF 256
41	#define KBUF 20	43	#define KBUF 20
42		44
Lines 118-123 int CIDAFM(FILE fd, FontInfo *pfi) { Link Here
118		120
119	fi->nChars = atoi(p);	121	fi->nChars = atoi(p);
120		122
		123	if (fi->nChars < 0 \|\| fi->nChars > INT_MAX / sizeof(Metrics)) {
		124	xfree(afmbuf);
		125	xfree(fi);
		126	return(1);
		127	}
121	fi->metrics = (Metrics )xalloc(fi->nChars	128	fi->metrics = (Metrics )xalloc(fi->nChars
122	sizeof(Metrics));	129	sizeof(Metrics));
123	if (fi->metrics == NULL) {	130	if (fi->metrics == NULL) {

Lines 72-77 #include "objects.h" Link Here

(-)a/src/Type1/scanfont.c (-2 / +10 lines)
72	#include "spaces.h"	72	#include "spaces.h"
73	#include "fontfcn.h"	73	#include "fontfcn.h"
74	#include "blues.h"	74	#include "blues.h"
		75
		76	#include <limits.h>
75		77
76	#if XFONT_CID	78	#if XFONT_CID
77	#define CID_BUFSIZE 80	79	#define CID_BUFSIZE 80
Lines 654-659 getFDArray(psobj *arrayP) Link Here
654	arrayP->data.valueP = tokenStartP;	656	arrayP->data.valueP = tokenStartP;
655		657
656	/* allocate FDArray */	658	/* allocate FDArray */
		659	/* No integer overflow since arrayP->len is unsigned short */
657	FDArrayP = (psfont )vm_alloc(arrayP->len(sizeof(psfont)));	660	FDArrayP = (psfont )vm_alloc(arrayP->len(sizeof(psfont)));
658	if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);	661	if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
659		662
Lines 850-856 BuildSubrs(psfont *FontP) Link Here
850	}	853	}
851	return(SCAN_OK);	854	return(SCAN_OK);
852	}	855	}
853		856	if (N > INT_MAX / sizeof(psobj))
		857	return (SCAN_ERROR);
854	arrayP = (psobj )vm_alloc(Nsizeof(psobj));	858	arrayP = (psobj )vm_alloc(Nsizeof(psobj));
855	if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);	859	if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
856	FontP->Subrs.len = N;	860	FontP->Subrs.len = N;
Lines 911-917 BuildCharStrings(psfont *FontP) Link Here
911	}	915	}
912	else return(rc); /* if next token was not an Int */	916	else return(rc); /* if next token was not an Int */
913	}	917	}
914	if (N<=0) return(SCAN_ERROR);	918	if (N<=0 \|\| N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
915	/* save number of entries in the dictionary */	919	/* save number of entries in the dictionary */
916		920
917	dictP = (psdict )vm_alloc((N+1)sizeof(psdict));	921	dictP = (psdict )vm_alloc((N+1)sizeof(psdict));
Lines 1719-1724 scan_cidfont(cidfont *CIDFontP, cmapres Link Here
1719	if (tokenType == TOKEN_INTEGER)	1723	if (tokenType == TOKEN_INTEGER)
1720	rangecnt = tokenValue.integer;	1724	rangecnt = tokenValue.integer;
1721		1725
		1726	if (rangecnt < 0 \|\| rangecnt > INT_MAX / sizeof(spacerangecode)) {
		1727	rc = SCAN_ERROR;
		1728	break;
		1729	}
1722	/* ==> tokenLength, tokenTooLong, tokenType, and */	1730	/* ==> tokenLength, tokenTooLong, tokenType, and */
1723	/* tokenValue are now set */	1731	/* tokenValue are now set */
1724		1732

Return to bug 145513