diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-11-08 21:36:32 +0100 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2019-06-09 09:43:37 -0700 |
| commit | c5d12b729b61576069f479a0b5141aedea04676b (patch) | |
| tree | b0a61e1399366ac276446d69902df4f2bb91b674 | |
| parent | 1d70c9accf93b9fae1b9adb48e47b7d96a5ae64e (diff) | |
| download | xorg-font-util-c5d12b729b61576069f479a0b5141aedea04676b.tar.gz | |
ucs2any: Fix parser crash on 32 bit
It is possible to crash ucs2any or provoke successful return value even
though the processing was not successful.
The problem lies within a possible integer overflow when adding elements
with a key which is too large.
You can trigger the issue this way on a 32 bit system:
$ cat > source.bdf << "EOF"
STARTFONT source
CHARS 1
ENCODING 1073741823
EOF
$ ucs2any source.bdf
Segmentation fault
$ _
Another possibility would be to add "ENCODING 1" right after the CHARS
line. In that case, realloc will allocate 0 bytes afterwards which is a
success but might return NULL, e.g. on Linux/glibc systems. Such a
result value is handled as an error and errno is evaluated and returned,
even though there was no error:
$ cat > source.bdf << "EOF"
STARTFONT source
CHARS 1
ENCODING 1
ENCODING 1073741823
EOF
$ ucs2any source.bdf
ucs2any: Success
$ echo $?
0
$ _
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | ucs2any.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -45,6 +45,7 @@ #endif #include <limits.h> #include <stdarg.h> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -220,6 +221,11 @@ da_add(da_t *da, int key, void *value) { int i = da->size; if (key >= 0) { + if ((size_t)key >= SIZE_MAX / sizeof(void *)) { + fprintf(stderr, "%s: Illegal key '%d' encountered!\n", + my_name, key); + exit(1); + } if (key >= da->size) { da->size = key + 1; da->values = zrealloc(da->values, |