1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
$NetBSD: patch-ae,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
--- src/bdf/bdflib.c.orig 2005-05-21 19:19:52.000000000 +0200
+++ src/bdf/bdflib.c 2006-06-05 23:22:50.000000000 +0200
@@ -1092,7 +1092,7 @@
#define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
#define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n"
#define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n"
-
+#define ERRMSG4 "[line %ld] BBX too big.\n"
static FT_Error
_bdf_add_comment( bdf_font_t* font,
@@ -1561,6 +1561,14 @@
p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ /* Check that the encoding is in the range [0,65536] because */
+ /* otherwise p->have (a bitmap with static size) overflows. */
+ if ( p->glyph_enc >= sizeof(p->have)*8 )
+ {
+ error = BDF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
/* Check to see whether this encoding has already been encountered. */
/* If it has then change it to unencoded so it gets added if */
/* indicated. */
@@ -1805,6 +1813,9 @@
/* And finally, gather up the bitmap. */
if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
{
+ unsigned long bitmap_size;
+
+
if ( !( p->flags & _BDF_BBX ) )
{
/* Missing BBX field. */
@@ -1815,7 +1826,16 @@
/* Allocate enough space for the bitmap. */
glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
+
+ bitmap_size = glyph->bpr * glyph->bbx.height;
+ if ( bitmap_size > 0xFFFFU )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
+ error = BDF_Err_Bbx_Too_Big;
+ goto Exit;
+ }
+ else
+ glyph->bytes = (unsigned short)bitmap_size;
if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
goto Exit;
|
