Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 145513 | Differences between
and this patch

Collapse All | Expand All

(-)lib/font/Type1/afm.c.orig (+6 lines)
Lines 29-34 Link Here
29
#include <stdio.h>
29
#include <stdio.h>
30
#include <string.h>
30
#include <string.h>
31
#include <stdlib.h>
31
#include <stdlib.h>
32
#include <limits.h>
32
#else
33
#else
33
#include "Xmd.h"        /* For INT32 declaration */
34
#include "Xmd.h"        /* For INT32 declaration */
34
#include "Xdefs.h"      /* For Bool */
35
#include "Xdefs.h"      /* For Bool */
Lines 118-123 Link Here
118
            
119
            
119
            fi->nChars = atoi(p);
120
            fi->nChars = atoi(p);
120
121
122
	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
123
		xfree(afmbuf);
124
		xfree(fi);
125
		return(1);
126
	    }
121
            fi->metrics = (Metrics *)xalloc(fi->nChars * 
127
            fi->metrics = (Metrics *)xalloc(fi->nChars * 
122
                sizeof(Metrics));
128
                sizeof(Metrics));
123
            if (fi->metrics == NULL) {
129
            if (fi->metrics == NULL) {
(-)lib/font/Type1/scanfont.c.orig (-2 / +9 lines)
Lines 57-62 Link Here
57
57
58
#ifndef FONTMODULE
58
#ifndef FONTMODULE
59
#include <string.h>
59
#include <string.h>
60
#include <limits.h>
60
#else
61
#else
61
#include "Xdefs.h"	/* Bool declaration */
62
#include "Xdefs.h"	/* Bool declaration */
62
#include "Xmd.h"	/* INT32 declaration */
63
#include "Xmd.h"	/* INT32 declaration */
Lines 654-659 Link Here
654
  arrayP->data.valueP = tokenStartP;
655
  arrayP->data.valueP = tokenStartP;
655
656
656
  /* allocate FDArray */
657
  /* allocate FDArray */
658
  /* No integer overflow since arrayP->len is unsigned short */
657
  FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
659
  FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
658
  if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
660
  if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
659
661
Lines 850-856 Link Here
850
     }
852
     }
851
     return(SCAN_OK);
853
     return(SCAN_OK);
852
   }
854
   }
853
 
855
   if (N > INT_MAX / sizeof(psobj)) 
856
       return (SCAN_ERROR);
854
   arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
857
   arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
855
   if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
858
   if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
856
   FontP->Subrs.len = N;
859
   FontP->Subrs.len = N;
Lines 911-917 Link Here
911
     }
914
     }
912
     else return(rc);  /* if next token was not an Int */
915
     else return(rc);  /* if next token was not an Int */
913
   }
916
   }
914
   if (N<=0) return(SCAN_ERROR);
917
   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
915
   /* save number of entries in the dictionary */
918
   /* save number of entries in the dictionary */
916
 
919
 
917
   dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
920
   dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
Lines 1719-1724 Link Here
1719
    if (tokenType == TOKEN_INTEGER)
1722
    if (tokenType == TOKEN_INTEGER)
1720
      rangecnt = tokenValue.integer;
1723
      rangecnt = tokenValue.integer;
1721
1724
1725
    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
1726
	rc = SCAN_ERROR;
1727
	break;
1728
    }
1722
    /* ==> tokenLength, tokenTooLong, tokenType, and */
1729
    /* ==> tokenLength, tokenTooLong, tokenType, and */
1723
    /* tokenValue are now set                        */
1730
    /* tokenValue are now set                        */
1724
1731

Return to bug 145513