qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MFC: pcfGetProperties: Check string boundaries (CVE-2017-13722)

Browse Source 
Without the checks a malformed PCF file can cause the library to make
atom from random heap memory that was behind the `strings` buffer.
This may crash the process or leak information.
This commit is contained in:
matthieu 2017-10-14 09:03:00 +00:00
parent dadc83bba7
commit 7e1ada6240
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/libXfont/src/bitmap/pcfread.c
View File

@ -44,6 +44,7 @@ from The Open Group.
#include <stdarg.h> #include <stdarg.h>
#include <stdint.h> #include <stdint.h>
#include <string.h>
void void
pcfError(const char* message, ...) pcfError(const char* message, ...)
@ -310,11 +311,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file,
if (IS_EOF(file)) goto Bail; if (IS_EOF(file)) goto Bail;
position += string_size; position += string_size;
for (i = 0; i < nprops; i++) { for (i = 0; i < nprops; i++) {
if (props[i].name >= string_size) {
pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
goto Bail;
}
props[i].name = MakeAtom(strings + props[i].name, props[i].name = MakeAtom(strings + props[i].name,
strlen(strings + props[i].name), TRUE); strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
if (isStringProp[i]) { if (isStringProp[i]) {
if (props[i].value >= string_size) {
pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
goto Bail;
}
props[i].value = MakeAtom(strings + props[i].value, props[i].value = MakeAtom(strings + props[i].value,
strlen(strings + props[i].value), TRUE); strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
} }
} }
free(strings); free(strings);