bdfReadProperties: property count needs range check [CVE-2015-1802]

Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2015-02-06 15:50:45 -0800
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2015-03-17 08:36:59 -0700
commit: 1cf5752474dd3959cdd992d8f4f40fffe10291d5 (patch)
tree: 02d9ed9367907e35a128d126c0a9d68e76011ece
parent: 8ca608bdb5a5af7ee705ae4c3725ac774a69018b (diff)
download: xorg-lib-libXfont-1cf5752474dd3959cdd992d8f4f40fffe10291d5.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index 914a024..6387908 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
 	bdfError("missing 'STARTPROPERTIES'\n");
 	return (FALSE);
     }
-    if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+    if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+	(nProps <= 0) ||
+	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
 	bdfError("bad 'STARTPROPERTIES'\n");
 	return (FALSE);
     }
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2015-02-06 15:50:45 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2015-03-17 08:36:59 -0700
commit	1cf5752474dd3959cdd992d8f4f40fffe10291d5 (patch)
tree	02d9ed9367907e35a128d126c0a9d68e76011ece
parent	8ca608bdb5a5af7ee705ae4c3725ac774a69018b (diff)
download	xorg-lib-libXfont-1cf5752474dd3959cdd992d8f4f40fffe10291d5.tar.gz