blob: b811dc030b63ef575d1ffe9cb43fce4a95d4b4a9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
$NetBSD: patch-cg,v 1.1 2006/09/13 12:27:26 joerg Exp $
Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
--- lib/font/Type1/afm.c.orig 2006-09-13 14:17:16.000000000 +0200
+++ lib/font/Type1/afm.c
@@ -29,6 +29,7 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <limits.h>
#else
#include "Xmd.h" /* For INT32 declaration */
#include "Xdefs.h" /* For Bool */
@@ -118,6 +119,12 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
fi->nChars = atoi(p);
+ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
+ xfree(afmbuf);
+ xfree(fi);
+ return(1);
+ }
+
fi->metrics = (Metrics *)xalloc(fi->nChars *
sizeof(Metrics));
if (fi->metrics == NULL) {
|
