summaryrefslogtreecommitdiff
path: root/src/fc/fserve.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/fc/fserve.c')
-rw-r--r--src/fc/fserve.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index f08028f..3abbacf 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
*/
#define LENGTHOF(r) (SIZEOF(r) >> 2)
+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
+
extern void ErrorF(const char *f, ...);
static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
rep = (fsGenericReply *) buf;
+ /*
+ * Refuse to accept replies longer than a maximum reasonable length,
+ * before we pass to _fs_start_read, since it will try to resize the
+ * incoming connection buffer to this size. Also avoids integer overflow
+ * on 32-bit systems.
+ */
+ if (rep->length > MAX_REPLY_LENGTH)
+ {
+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
+ " from font server\n", rep->length);
+ _fs_connection_died (conn);
+ *error = FSIO_ERROR;
+ return 0;
+ }
+
ret = _fs_start_read (conn, rep->length << 2, &buf);
if (ret != FSIO_READY)
{