From owner-svn-src-stable@freebsd.org  Thu Sep 24 13:06:21 2015
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6B9AA077B8;
 Thu, 24 Sep 2015 13:06:20 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CBD341B9D;
 Thu, 24 Sep 2015 13:06:20 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8OD6KVj036428;
 Thu, 24 Sep 2015 13:06:20 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8OD6KVX036427;
 Thu, 24 Sep 2015 13:06:20 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201509241306.t8OD6KVX036427@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Thu, 24 Sep 2015 13:06:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r288174 - stable/10/usr.bin/vtfontcvt
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2015 13:06:21 -0000

Author: emaste
Date: Thu Sep 24 13:06:19 2015
New Revision: 288174
URL: https://svnweb.freebsd.org/changeset/base/288174

Log:
  MFC r287340: vtfontcvt: fix buffer overflow for non-default size .hex fonts
  
  And r287336 which introduced xmalloc.
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/10/usr.bin/vtfontcvt/vtfontcvt.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.bin/vtfontcvt/vtfontcvt.c
==============================================================================
--- stable/10/usr.bin/vtfontcvt/vtfontcvt.c	Thu Sep 24 12:54:50 2015	(r288173)
+++ stable/10/usr.bin/vtfontcvt/vtfontcvt.c	Thu Sep 24 13:06:19 2015	(r288174)
@@ -96,6 +96,16 @@ usage(void)
 	exit(1);
 }
 
+static void *
+xmalloc(size_t size)
+{
+	void *m;
+
+	if ((m = malloc(size)) == NULL)
+		errx(1, "memory allocation failure");
+	return (m);
+}
+
 static int
 add_mapping(struct glyph *gl, unsigned int c, unsigned int map_idx)
 {
@@ -104,7 +114,7 @@ add_mapping(struct glyph *gl, unsigned i
 
 	mapping_total++;
 
-	mp = malloc(sizeof *mp);
+	mp = xmalloc(sizeof *mp);
 	mp->m_char = c;
 	mp->m_glyph = gl;
 	mp->m_length = 0;
@@ -163,8 +173,8 @@ add_glyph(const uint8_t *bytes, unsigned
 		}
 	}
 
-	gl = malloc(sizeof *gl);
-	gl->g_data = malloc(wbytes * height);
+	gl = xmalloc(sizeof *gl);
+	gl->g_data = xmalloc(wbytes * height);
 	memcpy(gl->g_data, bytes, wbytes * height);
 	if (fallback)
 		TAILQ_INSERT_HEAD(&glyphs[map_idx], gl, g_list);
@@ -290,17 +300,26 @@ parse_hex(FILE *fp, unsigned int map_idx
 	char *ln, *p;
 	char fmt_str[8];
 	size_t length;
-	uint8_t bytes[wbytes * height], bytes_r[wbytes * height];
+	uint8_t *bytes = NULL, *bytes_r = NULL;
 	unsigned curchar = 0, i, line, chars_per_row, dwidth;
+	int rv = 0;
 
 	while ((ln = fgetln(fp, &length)) != NULL) {
 		ln[length - 1] = '\0';
 
 		if (strncmp(ln, "# Height: ", 10) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Height tag after font data");
 			height = atoi(ln + 10);
 		} else if (strncmp(ln, "# Width: ", 9) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Width tag after font data");
 			set_width(atoi(ln + 9));
 		} else if (sscanf(ln, "%4x:", &curchar)) {
+			if (bytes == NULL) {
+				bytes = xmalloc(wbytes * height);
+				bytes_r = xmalloc(wbytes * height);
+			}
 			p = ln + 5;
 			chars_per_row = strlen(p) / height;
 			dwidth = width;
@@ -313,16 +332,23 @@ parse_hex(FILE *fp, unsigned int map_idx
 				sscanf(p, fmt_str, &line);
 				p += chars_per_row;
 				if (parse_bitmap_line(bytes + i * wbytes,
-				    bytes_r + i * wbytes, line, dwidth) != 0)
-					return (1);
+				    bytes_r + i * wbytes, line, dwidth) != 0) {
+					rv = 1;
+					goto out;
+				}
 			}
 
 			if (add_char(curchar, map_idx, bytes,
-			    dwidth == width * 2 ? bytes_r : NULL) != 0)
-				return (1);
+			    dwidth == width * 2 ? bytes_r : NULL) != 0) {
+				rv = 1;
+				goto out;
+			}
 		}
 	}
-	return (0);
+out:
+	free(bytes);
+	free(bytes_r);
+	return (rv);
 }
 
 static int