Tue Jan 7 07:43:47 2014 UTC ()
Additional hardening after CVE-2013-6462:

From f8b21df399fbedd08da88752181b8a290a38d890 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 23 Dec 2013 19:01:11 -0800
Subject: [PATCH:libXfont 2/2] Limit additional sscanf strings to fit buffer
 sizes

None of these could currently result in buffer overflow, as the input
and output buffers were the same size, but adding limits helps ensure
we keep it that way, if we ever resize any of these in the future.

Fixes cppcheck warnings:
 [lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
  scanf without field width limits can crash with huge input data.
 [lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
  scanf without field width limits can crash with huge input data.
 [lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
  scanf without field width limits can crash with huge input data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
---
 src/bitmap/bdfread.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)


(wiz)
diff -r1.3 -r1.4 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
cvs diff -r1.3 -r1.4 xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c (expand / switch to context diff)
--- xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2014/01/07 07:43:16 1.3
+++ xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2014/01/07 07:43:47 1.4
@@ -70,6 +70,7 @@
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -549,13 +550,18 @@
     unsigned char        lineBuf[BDFLINELEN];
 
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+    if (!line ||
+        sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	    !bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
     }
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+    if (!line ||
+        sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
     }
@@ -639,7 +645,9 @@
 	while (*line && isspace(*line))
 	    line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line,
+                       BDFLINESTR BDFLINESTR BDFLINESTR,
+                       namebuf, secondbuf, thirdbuf)) {
 	default:
 	    bdfError("missing '%s' parameter value\n", namebuf);
 	    goto BAILOUT;