Attachment #96295 for bug #145513

Lines 29-34 Link Here

(-)libXfont-1.2.0/src/Type1/afm.c.orig (+6 lines)
29	#include <stdio.h>	29	#include <stdio.h>
30	#include <string.h>	30	#include <string.h>
31	#include <stdlib.h>	31	#include <stdlib.h>
		32	#include <limits.h>
32	#else	33	#else
33	#include "Xmd.h" /* For INT32 declaration */	34	#include "Xmd.h" /* For INT32 declaration */
34	#include "Xdefs.h" /* For Bool */	35	#include "Xdefs.h" /* For Bool */
Lines 118-123 Link Here
118		119
119	fi->nChars = atoi(p);	120	fi->nChars = atoi(p);
120		121
		122	if (fi->nChars < 0 \|\| fi->nChars > INT_MAX / sizeof(Metrics)) {
		123	xfree(afmbuf);
		124	xfree(fi);
		125	return(1);
		126	}
121	fi->metrics = (Metrics )xalloc(fi->nChars	127	fi->metrics = (Metrics )xalloc(fi->nChars
122	sizeof(Metrics));	128	sizeof(Metrics));
123	if (fi->metrics == NULL) {	129	if (fi->metrics == NULL) {





#ifndef FONTMODULE
#include <string.h>
#include <limits.h>
#else
#include "Xdefs.h"	/* Bool declaration */
#include "Xmd.h"	/* INT32 declaration */

  arrayP->data.valueP = tokenStartP;

  /* allocate FDArray */
  /* No integer overflow since arrayP->len is unsigned short */
  FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
  if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);


     }
     return(SCAN_OK);
   }
   if (N > INT_MAX / sizeof(psobj)) 
       return (SCAN_ERROR);
   arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
   if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
   FontP->Subrs.len = N;

     }
     else return(rc);  /* if next token was not an Int */
   }
   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
   /* save number of entries in the dictionary */
 
   dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));

    if (tokenType == TOKEN_INTEGER)
      rangecnt = tokenValue.integer;

    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
	rc = SCAN_ERROR;
	break;
    }
    /* ==> tokenLength, tokenTooLong, tokenType, and */
    /* tokenValue are now set                        */


Return to bug 145513

Lines 57-62 Link Here

(-)libXfont-1.2.0/src/Type1/scanfont.c.orig (-2 / +9 lines)
57		57
58	#ifndef FONTMODULE	58	#ifndef FONTMODULE
59	#include <string.h>	59	#include <string.h>
		60	#include <limits.h>
60	#else	61	#else
61	#include "Xdefs.h" /* Bool declaration */	62	#include "Xdefs.h" /* Bool declaration */
62	#include "Xmd.h" /* INT32 declaration */	63	#include "Xmd.h" /* INT32 declaration */
Lines 654-659 Link Here
654	arrayP->data.valueP = tokenStartP;	655	arrayP->data.valueP = tokenStartP;
655		656
656	/* allocate FDArray */	657	/* allocate FDArray */
		658	/* No integer overflow since arrayP->len is unsigned short */
657	FDArrayP = (psfont )vm_alloc(arrayP->len(sizeof(psfont)));	659	FDArrayP = (psfont )vm_alloc(arrayP->len(sizeof(psfont)));
658	if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);	660	if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
659		661
Lines 850-856 Link Here
850	}	852	}
851	return(SCAN_OK);	853	return(SCAN_OK);
852	}	854	}
853		855	if (N > INT_MAX / sizeof(psobj))
		856	return (SCAN_ERROR);
854	arrayP = (psobj )vm_alloc(Nsizeof(psobj));	857	arrayP = (psobj )vm_alloc(Nsizeof(psobj));
855	if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);	858	if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
856	FontP->Subrs.len = N;	859	FontP->Subrs.len = N;
Lines 911-917 Link Here
911	}	914	}
912	else return(rc); /* if next token was not an Int */	915	else return(rc); /* if next token was not an Int */
913	}	916	}
914	if (N<=0) return(SCAN_ERROR);	917	if (N<=0 \|\| N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
915	/* save number of entries in the dictionary */	918	/* save number of entries in the dictionary */
916		919
917	dictP = (psdict )vm_alloc((N+1)sizeof(psdict));	920	dictP = (psdict )vm_alloc((N+1)sizeof(psdict));
Lines 1719-1724 Link Here
1719	if (tokenType == TOKEN_INTEGER)	1722	if (tokenType == TOKEN_INTEGER)
1720	rangecnt = tokenValue.integer;	1723	rangecnt = tokenValue.integer;
1721		1724
		1725	if (rangecnt < 0 \|\| rangecnt > INT_MAX / sizeof(spacerangecode)) {
		1726	rc = SCAN_ERROR;
		1727	break;
		1728	}
1722	/* ==> tokenLength, tokenTooLong, tokenType, and */	1729	/* ==> tokenLength, tokenTooLong, tokenType, and */
1723	/* tokenValue are now set */	1730	/* tokenValue are now set */
1724		1731