diff options
| author | Matthieu Herrb <matthieu@blues.laas.fr> | 2006-09-12 11:58:19 +0200 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@blues.laas.fr> | 2006-09-12 11:58:19 +0200 |
| commit | 2e8f2c1919e2f82786eae09a94dbde82c3fbbae3 (patch) | |
| tree | 3792ba477137da3b10a584f20a3c017b404c74f5 | |
| parent | 6dace87901aa05d85a178cfbd2dc0be1dc93fa34 (diff) | |
Fixes for integer overflows in CID encoded fonts parsing reported by iDefense.
CVE-ID 2006-3739, 2006-3740, bugzilla #8000, #8001.
| -rw-r--r-- | src/Type1/afm.c | 7 | ||||
| -rw-r--r-- | src/Type1/scanfont.c | 12 | ||||
| -rw-r--r-- | src/Type1/util.c | 2 |
3 files changed, 18 insertions, 3 deletions
diff --git a/src/Type1/afm.c b/src/Type1/afm.c index b8ce2d3..006ff3c 100644 --- a/src/Type1/afm.c +++ b/src/Type1/afm.c @@ -37,6 +37,8 @@ #include <X11/fonts/fontmisc.h> /* for xalloc/xfree */ #include "AFM.h" +#include <limits.h> + #define PBUF 256 #define KBUF 20 @@ -118,6 +120,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) { fi->nChars = atoi(p); + if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { + xfree(afmbuf); + xfree(fi); + return(1); + } fi->metrics = (Metrics *)xalloc(fi->nChars * sizeof(Metrics)); if (fi->metrics == NULL) { diff --git a/src/Type1/scanfont.c b/src/Type1/scanfont.c index 04e3fe2..bc3c244 100644 --- a/src/Type1/scanfont.c +++ b/src/Type1/scanfont.c @@ -72,6 +72,8 @@ #include "spaces.h" #include "fontfcn.h" #include "blues.h" + +#include <limits.h> #if XFONT_CID #define CID_BUFSIZE 80 @@ -654,6 +656,7 @@ getFDArray(psobj *arrayP) arrayP->data.valueP = tokenStartP; /* allocate FDArray */ + /* No integer overflow since arrayP->len is unsigned short */ FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); @@ -850,7 +853,8 @@ BuildSubrs(psfont *FontP) } return(SCAN_OK); } - + if (N > INT_MAX / sizeof(psobj)) + return (SCAN_ERROR); arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); FontP->Subrs.len = N; @@ -911,7 +915,7 @@ BuildCharStrings(psfont *FontP) } else return(rc); /* if next token was not an Int */ } - if (N<=0) return(SCAN_ERROR); + if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); /* save number of entries in the dictionary */ dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); @@ -1719,6 +1723,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres *CMapP) if (tokenType == TOKEN_INTEGER) rangecnt = tokenValue.integer; + if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { + rc = SCAN_ERROR; + break; + } /* ==> tokenLength, tokenTooLong, tokenType, and */ /* tokenValue are now set */ diff --git a/src/Type1/util.c b/src/Type1/util.c index 5b6d5a8..7c5a81d 100644 --- a/src/Type1/util.c +++ b/src/Type1/util.c @@ -104,7 +104,7 @@ vm_alloc(int bytes) bytes = (bytes + 7) & ~7; /* Allocate the space, if it is available */ - if (bytes <= vm_free) { + if (bytes > 0 && bytes <= vm_free) { answer = vm_next; vm_free -= bytes; vm_next += bytes; |