Integer overflow vulnerabilities

CVE-2007-1351: BDFFont Parsing Integer Overflow
CVE-2007-1352: fonts.dir File Parsing Integer Overflow

2 files changed, 19 insertions, 0 deletions

diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index acb77e9..a6f0c1e 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -65,6 +65,12 @@ from The Open Group.
 #include <X11/fonts/bitmap.h>
 #include <X11/fonts/bdfint.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	bdfError("invalid number of CHARS in BDF file\n");
 	return (FALSE);
     }
+    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
+	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
+		 sizeof(CharInfoRec));
+	goto BAILOUT;
+    }
     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
     if (!ci) {
 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index aae1f2e..cf68a54 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -38,9 +38,17 @@ in this Software without prior written authorization from The Open Group.
 #include    <X11/fonts/fntfilst.h>
 #include    <X11/keysym.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 Bool
 FontFileInitTable (FontTablePtr table, int size)
 {
+    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) 
+	return FALSE;
     if (size)
     {
 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);