1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $
Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
--- lib/font/Type1/scanfont.c.orig 2006-09-13 14:18:59.000000000 +0200
+++ lib/font/Type1/scanfont.c
@@ -57,6 +57,7 @@
#ifndef FONTMODULE
#include <string.h>
+#include <limits.h>
#else
#include "Xdefs.h" /* Bool declaration */
#include "Xmd.h" /* INT32 declaration */
@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP)
arrayP->data.valueP = tokenStartP;
/* allocate FDArray */
+ /* No integer overflow since arrayP->len is unsigned short */
FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP)
}
return(SCAN_OK);
}
-
+ if (N > INT_MAX / sizeof(psobj))
+ return (SCAN_ERROR);
arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
FontP->Subrs.len = N;
@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP)
}
else return(rc); /* if next token was not an Int */
}
- if (N<=0) return(SCAN_ERROR);
+ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
/* save number of entries in the dictionary */
dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres
if (tokenType == TOKEN_INTEGER)
rangecnt = tokenValue.integer;
+ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
+ rc = SCAN_ERROR;
+ break;
+ }
/* ==> tokenLength, tokenTooLong, tokenType, and */
/* tokenValue are now set */
|
