Date: Sun, 16 Jun 2019 13:51:45 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349108 - head/usr.bin/vtfontcvt Message-ID: <201906161351.x5GDpjgh088519@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Sun Jun 16 13:51:45 2019 New Revision: 349108 URL: https://svnweb.freebsd.org/changeset/base/349108 Log: vtfontcvt: improve .bdf validation Previously if we had a BBX entry that had invalid values (e.g. bounding box outside of font bounding box) and failed sscanf (e.g., because it had fewer than four values) we skipped the BBX value validation and then triggered an assertion failure. Reported by: afl MFC with: r349100 Event: Berlin Devsummit 2019 Sponsored by: The FreeBSD Foundation Modified: head/usr.bin/vtfontcvt/vtfontcvt.c Modified: head/usr.bin/vtfontcvt/vtfontcvt.c ============================================================================== --- head/usr.bin/vtfontcvt/vtfontcvt.c Sun Jun 16 13:35:53 2019 (r349107) +++ head/usr.bin/vtfontcvt/vtfontcvt.c Sun Jun 16 13:51:45 2019 (r349108) @@ -379,9 +379,10 @@ parse_bdf(FILE *fp, unsigned int map_idx) curchar = atoi(ln + 9); } else if (strncmp(ln, "DWIDTH ", 7) == 0) { dwidth = atoi(ln + 7); - } else if (strncmp(ln, "BBX ", 4) == 0 && - sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox, - &bboy) == 4) { + } else if (strncmp(ln, "BBX ", 4) == 0) { + if (sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox, + &bboy) != 4) + errx(1, "invalid BBX at line %u", linenum); if (bbw < 1 || bbh < 1 || bbw > fbbw || bbh > fbbh || bbox < fbbox || bboy < fbboy || bbh + bboy > fbbh + fbboy)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906161351.x5GDpjgh088519>