Tue Jan 7 07:43:47 2014 UTC ()
Additional hardening after CVE-2013-6462:

From f8b21df399fbedd08da88752181b8a290a38d890 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 23 Dec 2013 19:01:11 -0800
Subject: [PATCH:libXfont 2/2] Limit additional sscanf strings to fit buffer
 sizes

None of these could currently result in buffer overflow, as the input
and output buffers were the same size, but adding limits helps ensure
we keep it that way, if we ever resize any of these in the future.

Fixes cppcheck warnings:
 [lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
  scanf without field width limits can crash with huge input data.
 [lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
  scanf without field width limits can crash with huge input data.
 [lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
  scanf without field width limits can crash with huge input data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
---
 src/bitmap/bdfread.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)


(wiz)
diff -r1.3 -r1.4 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
cvs diff -r1.3 -r1.4 xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2014/01/07 07:43:16 1.3
+++ xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2014/01/07 07:43:47 1.4
@@ -60,26 +60,27 @@ from The Open Group. @@ -60,26 +60,27 @@ from The Open Group.
60/* use bitmap structure */ 60/* use bitmap structure */
61#include "bitmap.h" 61#include "bitmap.h"
62#include "bdfint.h" 62#include "bdfint.h"
63 63
64#if HAVE_STDINT_H 64#if HAVE_STDINT_H
65#include <stdint.h> 65#include <stdint.h>
66#elif !defined(INT32_MAX) 66#elif !defined(INT32_MAX)
67#define INT32_MAX 0x7fffffff 67#define INT32_MAX 0x7fffffff
68#endif 68#endif
69 69
70#define INDICES 256 70#define INDICES 256
71#define MAXENCODING 0xFFFF 71#define MAXENCODING 0xFFFF
72#define BDFLINELEN 1024 72#define BDFLINELEN 1024
 73#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
73 74
74static Bool bdfPadToTerminal(FontPtr pFont); 75static Bool bdfPadToTerminal(FontPtr pFont);
75extern int bdfFileLineNum; 76extern int bdfFileLineNum;
76 77
77/***====================================================================***/ 78/***====================================================================***/
78 79
79static Bool 80static Bool
80bdfReadBitmap(CharInfoPtr pCI, FontFilePtr file, int bit, int byte,  81bdfReadBitmap(CharInfoPtr pCI, FontFilePtr file, int bit, int byte,
81 int glyph, int scan, CARD32 *sizes) 82 int glyph, int scan, CARD32 *sizes)
82{ 83{
83 int widthBits, 84 int widthBits,
84 widthBytes, 85 widthBytes,
85 widthHexChars; 86 widthHexChars;
@@ -539,33 +540,38 @@ BAILOUT: @@ -539,33 +540,38 @@ BAILOUT:
539 return (FALSE); 540 return (FALSE);
540} 541}
541 542
542/***====================================================================***/ 543/***====================================================================***/
543 544
544static Bool 545static Bool
545bdfReadHeader(FontFilePtr file, bdfFileState *pState) 546bdfReadHeader(FontFilePtr file, bdfFileState *pState)
546{ 547{
547 unsigned char *line; 548 unsigned char *line;
548 char namebuf[BDFLINELEN]; 549 char namebuf[BDFLINELEN];
549 unsigned char lineBuf[BDFLINELEN]; 550 unsigned char lineBuf[BDFLINELEN];
550 551
551 line = bdfGetLine(file, lineBuf, BDFLINELEN); 552 line = bdfGetLine(file, lineBuf, BDFLINELEN);
552 if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 || 553 if (!line ||
 554 sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
553 !bdfStrEqual(namebuf, "2.1")) { 555 !bdfStrEqual(namebuf, "2.1")) {
554 bdfError("bad 'STARTFONT'\n"); 556 bdfError("bad 'STARTFONT'\n");
555 return (FALSE); 557 return (FALSE);
556 } 558 }
557 line = bdfGetLine(file, lineBuf, BDFLINELEN); 559 line = bdfGetLine(file, lineBuf, BDFLINELEN);
558 if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) { 560#if MAXFONTNAMELEN != 1024
 561# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
 562#endif
 563 if (!line ||
 564 sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
559 bdfError("bad 'FONT'\n"); 565 bdfError("bad 'FONT'\n");
560 return (FALSE); 566 return (FALSE);
561 } 567 }
562 line = bdfGetLine(file, lineBuf, BDFLINELEN); 568 line = bdfGetLine(file, lineBuf, BDFLINELEN);
563 if (!line || !bdfIsPrefix(line, "SIZE")) { 569 if (!line || !bdfIsPrefix(line, "SIZE")) {
564 bdfError("missing 'SIZE'\n"); 570 bdfError("missing 'SIZE'\n");
565 return (FALSE); 571 return (FALSE);
566 } 572 }
567 if (sscanf((char *) line, "SIZE %f%d%d", &pState->pointSize, 573 if (sscanf((char *) line, "SIZE %f%d%d", &pState->pointSize,
568 &pState->resolution_x, &pState->resolution_y) != 3) { 574 &pState->resolution_x, &pState->resolution_y) != 3) {
569 bdfError("bad 'SIZE'\n"); 575 bdfError("bad 'SIZE'\n");
570 return (FALSE); 576 return (FALSE);
571 } 577 }
@@ -629,27 +635,29 @@ bdfReadProperties(FontFilePtr file, Font @@ -629,27 +635,29 @@ bdfReadProperties(FontFilePtr file, Font
629 635
630 nextProp = 0; 636 nextProp = 0;
631 props_left = nProps; 637 props_left = nProps;
632 while (props_left-- > 0) { 638 while (props_left-- > 0) {
633 line = bdfGetLine(file, lineBuf, BDFLINELEN); 639 line = bdfGetLine(file, lineBuf, BDFLINELEN);
634 if (line == NULL || bdfIsPrefix(line, "ENDPROPERTIES")) { 640 if (line == NULL || bdfIsPrefix(line, "ENDPROPERTIES")) {
635 bdfError("\"STARTPROPERTIES %d\" followed by only %d properties\n", 641 bdfError("\"STARTPROPERTIES %d\" followed by only %d properties\n",
636 nProps, nProps - props_left - 1); 642 nProps, nProps - props_left - 1);
637 goto BAILOUT; 643 goto BAILOUT;
638 } 644 }
639 while (*line && isspace(*line)) 645 while (*line && isspace(*line))
640 line++; 646 line++;
641 647
642 switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) { 648 switch (sscanf((char *) line,
 649 BDFLINESTR BDFLINESTR BDFLINESTR,
 650 namebuf, secondbuf, thirdbuf)) {
643 default: 651 default:
644 bdfError("missing '%s' parameter value\n", namebuf); 652 bdfError("missing '%s' parameter value\n", namebuf);
645 goto BAILOUT; 653 goto BAILOUT;
646 654
647 case 2: 655 case 2:
648 /* 656 /*
649 * Possibilites include: valid quoted string with no white space 657 * Possibilites include: valid quoted string with no white space
650 * valid integer value invalid value 658 * valid integer value invalid value
651 */ 659 */
652 if (secondbuf[0] == '"') { 660 if (secondbuf[0] == '"') {
653 stringProps[nextProp] = TRUE; 661 stringProps[nextProp] = TRUE;
654 props[nextProp].value = 662 props[nextProp].value =
655 bdfGetPropertyValue((char *)line + strlen(namebuf) + 1); 663 bdfGetPropertyValue((char *)line + strlen(namebuf) + 1);