Tue Jan 7 18:07:17 2014 UTC ()
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c patch
xsrc/xfree/xc/lib/font/bitmap/bdfread.c patch
Fix CVE-2013-6462: scanf without field width limits can crash
with huge input data.
[wiz, ticket #1896]
(bouyer)
diff -r1.1.1.1.2.1 -r1.1.1.1.2.2 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
diff -r1.2 -r1.2.2.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
--- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c 2009/09/17 03:33:14 1.1.1.1.2.1
+++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c 2014/01/07 18:07:17 1.1.1.1.2.2
@@ -72,6 +72,7 @@
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -341,7 +342,7 @@
char charName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
@@ -547,13 +548,18 @@
unsigned char lineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+ if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+ if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -636,7 +642,9 @@
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLINESTR,
+ namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;
--- xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2007/04/03 20:10:34 1.2
+++ xsrc/xfree/xc/lib/font/bitmap/Attic/bdfread.c 2014/01/07 18:07:17 1.2.2.1
@@ -70,6 +70,7 @@
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -340,7 +341,7 @@
char charName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
@@ -549,13 +550,18 @@
unsigned char lineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+ if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+ if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -639,7 +645,9 @@
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLINESTR,
+ namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;