Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 95407 Details for
Bug 145513
x11-base/xorg-x11 Integer overflow in CID parser (CVE-2006-37{39|40})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
libXfont.diff
libXfont.diff (text/plain), 2.17 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-08-29 12:22:15 UTC
(
hide
)
Description:
libXfont.diff
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-08-29 12:22:15 UTC
Size:
2.17 KB
patch
obsolete
>diff --git a/src/Type1/afm.c b/src/Type1/afm.c >index b8ce2d3..006ff3c 100644 >--- a/src/Type1/afm.c >+++ b/src/Type1/afm.c >@@ -37,6 +37,8 @@ #endif > #include <X11/fonts/fontmisc.h> /* for xalloc/xfree */ > #include "AFM.h" > >+#include <limits.h> >+ > #define PBUF 256 > #define KBUF 20 > >@@ -118,6 +120,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) { > > fi->nChars = atoi(p); > >+ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { >+ xfree(afmbuf); >+ xfree(fi); >+ return(1); >+ } > fi->metrics = (Metrics *)xalloc(fi->nChars * > sizeof(Metrics)); > if (fi->metrics == NULL) { >diff --git a/src/Type1/scanfont.c b/src/Type1/scanfont.c >index 04e3fe2..bc3c244 100644 >--- a/src/Type1/scanfont.c >+++ b/src/Type1/scanfont.c >@@ -72,6 +72,8 @@ #include "objects.h" > #include "spaces.h" > #include "fontfcn.h" > #include "blues.h" >+ >+#include <limits.h> > > #if XFONT_CID > #define CID_BUFSIZE 80 >@@ -654,6 +656,7 @@ getFDArray(psobj *arrayP) > arrayP->data.valueP = tokenStartP; > > /* allocate FDArray */ >+ /* No integer overflow since arrayP->len is unsigned short */ > FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); > if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); > >@@ -850,7 +853,8 @@ BuildSubrs(psfont *FontP) > } > return(SCAN_OK); > } >- >+ if (N > INT_MAX / sizeof(psobj)) >+ return (SCAN_ERROR); > arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); > if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); > FontP->Subrs.len = N; >@@ -911,7 +915,7 @@ BuildCharStrings(psfont *FontP) > } > else return(rc); /* if next token was not an Int */ > } >- if (N<=0) return(SCAN_ERROR); >+ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); > /* save number of entries in the dictionary */ > > dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); >@@ -1719,6 +1723,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres > if (tokenType == TOKEN_INTEGER) > rangecnt = tokenValue.integer; > >+ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { >+ rc = SCAN_ERROR; >+ break; >+ } > /* ==> tokenLength, tokenTooLong, tokenType, and */ > /* tokenValue are now set */ >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 145513
:
95407
|
96088
|
96089
|
96254
|
96271
|
96288
|
96295