From 4d024ac10f964f6bd372ae0dd14f02772a6e5f63 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 23 Dec 2013 18:34:02 -0800
Subject: CVE-2013-6462: unlimited sscanf overflows stack buffer in
 bdfReadCharacters()

Fixes cppcheck warning:
 [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
  scanf without field width limits can crash with huge input data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
---
 src/bitmap/bdfread.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e2770dc..e11c5d2 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	char        charName[100];
 	int         ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
-- 
cgit v1.2.3