]>
Commit | Line | Data |
---|---|---|
17c23728 JB |
1 | Fix integer overflow vulnerabilities in the handling of Type1 fonts. |
2 | ||
3 | *** xc/lib/font/Type1/AFM.h Sun May 2 23:58:44 1999 | |
4 | --- xc/lib/font/Type1/AFM.h Wed Sep 6 17:37:56 2006 | |
5 | *************** typedef struct | |
6 | *** 47,52 **** | |
7 | --- 47,54 ---- | |
8 | BBox charBBox; /* key: B */ | |
9 | } Metrics; | |
10 | ||
11 | + #define MAX_CID_METRICS ((int)((unsigned int)(-1) / (2 * sizeof(Metrics)))) | |
12 | + | |
13 | typedef struct | |
14 | { | |
15 | int nChars; /* number of entries in char metrics array */ | |
16 | *** xc/lib/font/Type1/afm.c Fri Oct 14 09:16:02 2005 | |
17 | --- xc/lib/font/Type1/afm.c Wed Sep 6 17:37:56 2006 | |
18 | *************** int CIDAFM(FILE *fd, FontInfo **pfi) { | |
19 | *** 111,116 **** | |
20 | --- 111,122 ---- | |
21 | ||
22 | fi->nChars = atoi(p); | |
23 | ||
24 | + if ((fi->nChars <= 0) || (fi->nChars > MAX_CID_METRICS)) { | |
25 | + xfree(afmbuf); | |
26 | + xfree(fi); | |
27 | + return(1); | |
28 | + } | |
29 | + | |
30 | fi->metrics = (Metrics *)xalloc(fi->nChars * | |
31 | sizeof(Metrics)); | |
32 | if (fi->metrics == NULL) { | |
33 | *** xc/lib/font/Type1/range.h Tue May 4 03:35:22 1999 | |
34 | --- xc/lib/font/Type1/range.h Wed Sep 6 17:37:56 2006 | |
35 | *************** typedef struct spacerange_code { | |
36 | *** 24,29 **** | |
37 | --- 24,32 ---- | |
38 | unsigned int srcCodeHi; | |
39 | } spacerangecode; | |
40 | ||
41 | + #define MAX_CID_SPACERANGECODES \ | |
42 | + ((int)((unsigned int)(-1) / (2 * sizeof(spacerangecode)))) | |
43 | + | |
44 | typedef struct space_range { | |
45 | struct space_range *next; | |
46 | int rangecnt; | |
47 | *************** typedef struct cidrange_code { | |
48 | *** 36,41 **** | |
49 | --- 39,47 ---- | |
50 | unsigned int dstCIDLo; | |
51 | } cidrangecode; | |
52 | ||
53 | + #define MAX_CID_CIDRANGECODES \ | |
54 | + ((int)((unsigned int)(-1) / (2 * sizeof(cidrangecode)))) | |
55 | + | |
56 | typedef struct cid_range { | |
57 | struct cid_range *next; | |
58 | int rangecnt; | |
59 | *** xc/lib/font/Type1/scanfont.c Fri Oct 14 09:16:02 2005 | |
60 | --- xc/lib/font/Type1/scanfont.c Wed Sep 6 17:37:56 2006 | |
61 | *************** scan_cidfont(cidfont *CIDFontP, cmapres | |
62 | *** 1732,1737 **** | |
63 | --- 1732,1741 ---- | |
64 | break; | |
65 | case TOKEN_NAME: | |
66 | if (0 == strncmp(tokenStartP,"begincodespacerange",19)) { | |
67 | + if ((rangecnt <= 0) || (rangecnt > MAX_CID_SPACERANGECODES)) { | |
68 | + rc = SCAN_OUT_OF_MEMORY; | |
69 | + break; | |
70 | + } | |
71 | CIDFontP->spacerangecnt++; | |
72 | spacerangeP = (spacerange *)vm_alloc(sizeof(spacerange)); | |
73 | if (!spacerangeP) { | |
74 | *************** scan_cidfont(cidfont *CIDFontP, cmapres | |
75 | *** 1787,1792 **** | |
76 | --- 1791,1800 ---- | |
77 | } | |
78 | } | |
79 | if (0 == strncmp(tokenStartP,"begincidrange",13)) { | |
80 | + if ((rangecnt <= 0) || (rangecnt > MAX_CID_CIDRANGECODES)) { | |
81 | + rc = SCAN_OUT_OF_MEMORY; | |
82 | + break; | |
83 | + } | |
84 | CIDFontP->cidrangecnt++; | |
85 | cidrangeP = (cidrange *)vm_alloc(sizeof(cidrange)); | |
86 | if (!cidrangeP) { | |
87 | *************** scan_cidfont(cidfont *CIDFontP, cmapres | |
88 | *** 1868,1873 **** | |
89 | --- 1876,1885 ---- | |
90 | } | |
91 | ||
92 | if (0 == strncmp(tokenStartP,"beginnotdefrange",16)) { | |
93 | + if ((rangecnt <= 0) || (rangecnt > MAX_CID_CIDRANGECODES)) { | |
94 | + rc = SCAN_OUT_OF_MEMORY; | |
95 | + break; | |
96 | + } | |
97 | CIDFontP->notdefrangecnt++; | |
98 | notdefrangeP = (cidrange *)vm_alloc(sizeof(cidrange)); | |
99 | if (!notdefrangeP) { | |
100 | *** xc/lib/font/Type1/util.c Fri Oct 14 09:16:03 2005 | |
101 | --- xc/lib/font/Type1/util.c Wed Sep 6 17:42:08 2006 | |
102 | *************** vm_alloc(int bytes) | |
103 | *** 96,102 **** | |
104 | bytes = (bytes + 7) & ~7; | |
105 | ||
106 | /* Allocate the space, if it is available */ | |
107 | ! if (bytes <= vm_free) { | |
108 | answer = vm_next; | |
109 | vm_free -= bytes; | |
110 | vm_next += bytes; | |
111 | --- 96,102 ---- | |
112 | bytes = (bytes + 7) & ~7; | |
113 | ||
114 | /* Allocate the space, if it is available */ | |
115 | ! if ((bytes > 0) && (bytes <= vm_free)) { | |
116 | answer = vm_next; | |
117 | vm_free -= bytes; | |
118 | vm_next += bytes; |