53 lines
1.8 KiB
Diff
53 lines
1.8 KiB
Diff
From 672bb944311392e2415b39c0d63b1e1902905bcd Mon Sep 17 00:00:00 2001
|
|
From: Michal Srb <msrb@suse.com>
|
|
Date: Thu, 20 Jul 2017 17:05:23 +0200
|
|
Subject: [PATCH] pcfGetProperties: Check string boundaries (CVE-2017-13722)
|
|
|
|
Without the checks a malformed PCF file can cause the library to make
|
|
atom from random heap memory that was behind the `strings` buffer.
|
|
This may crash the process or leak information.
|
|
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
src/bitmap/pcfread.c | 13 +++++++++++--
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
|
|
index dab1c44..ae34c28 100644
|
|
--- a/src/bitmap/pcfread.c
|
|
+++ b/src/bitmap/pcfread.c
|
|
@@ -45,6 +45,7 @@ from The Open Group.
|
|
|
|
#include <stdarg.h>
|
|
#include <stdint.h>
|
|
+#include <string.h>
|
|
|
|
void
|
|
pcfError(const char* message, ...)
|
|
@@ -311,11 +312,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file,
|
|
if (IS_EOF(file)) goto Bail;
|
|
position += string_size;
|
|
for (i = 0; i < nprops; i++) {
|
|
+ if (props[i].name >= string_size) {
|
|
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
|
|
+ goto Bail;
|
|
+ }
|
|
props[i].name = MakeAtom(strings + props[i].name,
|
|
- strlen(strings + props[i].name), TRUE);
|
|
+ strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
|
|
if (isStringProp[i]) {
|
|
+ if (props[i].value >= string_size) {
|
|
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
|
|
+ goto Bail;
|
|
+ }
|
|
props[i].value = MakeAtom(strings + props[i].value,
|
|
- strlen(strings + props[i].value), TRUE);
|
|
+ strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
|
|
}
|
|
}
|
|
free(strings);
|
|
--
|
|
2.11.0
|
|
|