1 Fix integer overflow vulnerabilities in the handling of Type1 fonts.
3 *** xc/lib/font/Type1/AFM.h Sun May 2 23:58:44 1999
4 --- xc/lib/font/Type1/AFM.h Wed Sep 6 17:37:56 2006
5 *************** typedef struct
8 BBox charBBox; /* key: B */
11 + #define MAX_CID_METRICS ((int)((unsigned int)(-1) / (2 * sizeof(Metrics))))
15 int nChars; /* number of entries in char metrics array */
16 *** xc/lib/font/Type1/afm.c Fri Oct 14 09:16:02 2005
17 --- xc/lib/font/Type1/afm.c Wed Sep 6 17:37:56 2006
18 *************** int CIDAFM(FILE *fd, FontInfo **pfi) {
24 + if ((fi->nChars <= 0) || (fi->nChars > MAX_CID_METRICS)) {
30 fi->metrics = (Metrics *)xalloc(fi->nChars *
32 if (fi->metrics == NULL) {
33 *** xc/lib/font/Type1/range.h Tue May 4 03:35:22 1999
34 --- xc/lib/font/Type1/range.h Wed Sep 6 17:37:56 2006
35 *************** typedef struct spacerange_code {
38 unsigned int srcCodeHi;
41 + #define MAX_CID_SPACERANGECODES \
42 + ((int)((unsigned int)(-1) / (2 * sizeof(spacerangecode))))
44 typedef struct space_range {
45 struct space_range *next;
47 *************** typedef struct cidrange_code {
50 unsigned int dstCIDLo;
53 + #define MAX_CID_CIDRANGECODES \
54 + ((int)((unsigned int)(-1) / (2 * sizeof(cidrangecode))))
56 typedef struct cid_range {
57 struct cid_range *next;
59 *** xc/lib/font/Type1/scanfont.c Fri Oct 14 09:16:02 2005
60 --- xc/lib/font/Type1/scanfont.c Wed Sep 6 17:37:56 2006
61 *************** scan_cidfont(cidfont *CIDFontP, cmapres
66 if (0 == strncmp(tokenStartP,"begincodespacerange",19)) {
67 + if ((rangecnt <= 0) || (rangecnt > MAX_CID_SPACERANGECODES)) {
68 + rc = SCAN_OUT_OF_MEMORY;
71 CIDFontP->spacerangecnt++;
72 spacerangeP = (spacerange *)vm_alloc(sizeof(spacerange));
74 *************** scan_cidfont(cidfont *CIDFontP, cmapres
79 if (0 == strncmp(tokenStartP,"begincidrange",13)) {
80 + if ((rangecnt <= 0) || (rangecnt > MAX_CID_CIDRANGECODES)) {
81 + rc = SCAN_OUT_OF_MEMORY;
84 CIDFontP->cidrangecnt++;
85 cidrangeP = (cidrange *)vm_alloc(sizeof(cidrange));
87 *************** scan_cidfont(cidfont *CIDFontP, cmapres
92 if (0 == strncmp(tokenStartP,"beginnotdefrange",16)) {
93 + if ((rangecnt <= 0) || (rangecnt > MAX_CID_CIDRANGECODES)) {
94 + rc = SCAN_OUT_OF_MEMORY;
97 CIDFontP->notdefrangecnt++;
98 notdefrangeP = (cidrange *)vm_alloc(sizeof(cidrange));
100 *** xc/lib/font/Type1/util.c Fri Oct 14 09:16:03 2005
101 --- xc/lib/font/Type1/util.c Wed Sep 6 17:42:08 2006
102 *************** vm_alloc(int bytes)
104 bytes = (bytes + 7) & ~7;
106 /* Allocate the space, if it is available */
107 ! if (bytes <= vm_free) {
112 bytes = (bytes + 7) & ~7;
114 /* Allocate the space, if it is available */
115 ! if ((bytes > 0) && (bytes <= vm_free)) {