Tue Jan 7 07:43:16 2014 UTC ()
CVE-2013-6462:
From aeabb3efa6905e11c479e2e5319f2b6b3ab22009 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 23 Dec 2013 18:34:02 -0800
Subject: [PATCH:libXfont 1/2] CVE-2013-XXXX: unlimited sscanf can overflow
 stack buffer in bdfReadCharacters()

Fixes cppcheck warning:
 [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
  scanf without field width limits can crash with huge input data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
---
 src/bitmap/bdfread.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


(wiz)
diff -r1.2 -r1.3 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
cvs diff -r1.2 -r1.3 xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2007/04/03 20:10:34 1.2
+++ xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2014/01/07 07:43:16 1.3
@@ -330,27 +330,27 @@ bdfReadCharacters(FontFilePtr file, Font @@ -330,27 +330,27 @@ bdfReadCharacters(FontFilePtr file, Font
330 int t; 330 int t;
331 int wx; /* x component of width */ 331 int wx; /* x component of width */
332 int wy; /* y component of width */ 332 int wy; /* y component of width */
333 int bw; /* bounding-box width */ 333 int bw; /* bounding-box width */
334 int bh; /* bounding-box height */ 334 int bh; /* bounding-box height */
335 int bl; /* bounding-box left */ 335 int bl; /* bounding-box left */
336 int bb; /* bounding-box bottom */ 336 int bb; /* bounding-box bottom */
337 int enc, 337 int enc,
338 enc2; /* encoding */ 338 enc2; /* encoding */
339 unsigned char *p; /* temp pointer into line */ 339 unsigned char *p; /* temp pointer into line */
340 char charName[100]; 340 char charName[100];
341 int ignore; 341 int ignore;
342 342
343 if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { 343 if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
344 bdfError("bad character name in BDF file\n"); 344 bdfError("bad character name in BDF file\n");
345 goto BAILOUT; /* bottom of function, free and return error */ 345 goto BAILOUT; /* bottom of function, free and return error */
346 } 346 }
347 if (bitmapExtra) 347 if (bitmapExtra)
348 bitmapExtra->glyphNames[ndx] = bdfForceMakeAtom(charName, NULL); 348 bitmapExtra->glyphNames[ndx] = bdfForceMakeAtom(charName, NULL);
349 349
350 line = bdfGetLine(file, lineBuf, BDFLINELEN); 350 line = bdfGetLine(file, lineBuf, BDFLINELEN);
351 if (!line || (t = sscanf((char *) line, "ENCODING %d %d", &enc, &enc2)) < 1) { 351 if (!line || (t = sscanf((char *) line, "ENCODING %d %d", &enc, &enc2)) < 1) {
352 bdfError("bad 'ENCODING' in BDF file\n"); 352 bdfError("bad 'ENCODING' in BDF file\n");
353 goto BAILOUT; 353 goto BAILOUT;
354 } 354 }
355 if (enc < -1 || (t == 2 && enc2 < -1)) { 355 if (enc < -1 || (t == 2 && enc2 < -1)) {
356 bdfError("bad ENCODING value"); 356 bdfError("bad ENCODING value");