Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Sep 2015 01:35:43 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r287340 - head/usr.bin/vtfontcvt
Message-ID:  <201509010135.t811ZhiQ005594@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Tue Sep  1 01:35:43 2015
New Revision: 287340
URL: https://svnweb.freebsd.org/changeset/base/287340

Log:
  vtfontcvt: fix buffer overflow for non-default size .hex fonts
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/usr.bin/vtfontcvt/vtfontcvt.c

Modified: head/usr.bin/vtfontcvt/vtfontcvt.c
==============================================================================
--- head/usr.bin/vtfontcvt/vtfontcvt.c	Tue Sep  1 01:03:45 2015	(r287339)
+++ head/usr.bin/vtfontcvt/vtfontcvt.c	Tue Sep  1 01:35:43 2015	(r287340)
@@ -300,17 +300,26 @@ parse_hex(FILE *fp, unsigned int map_idx
 	char *ln, *p;
 	char fmt_str[8];
 	size_t length;
-	uint8_t bytes[wbytes * height], bytes_r[wbytes * height];
+	uint8_t *bytes = NULL, *bytes_r = NULL;
 	unsigned curchar = 0, i, line, chars_per_row, dwidth;
+	int rv = 0;
 
 	while ((ln = fgetln(fp, &length)) != NULL) {
 		ln[length - 1] = '\0';
 
 		if (strncmp(ln, "# Height: ", 10) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Height tag after font data");
 			height = atoi(ln + 10);
 		} else if (strncmp(ln, "# Width: ", 9) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Width tag after font data");
 			set_width(atoi(ln + 9));
 		} else if (sscanf(ln, "%4x:", &curchar)) {
+			if (bytes == NULL) {
+				bytes = xmalloc(wbytes * height);
+				bytes_r = xmalloc(wbytes * height);
+			}
 			p = ln + 5;
 			chars_per_row = strlen(p) / height;
 			dwidth = width;
@@ -323,16 +332,23 @@ parse_hex(FILE *fp, unsigned int map_idx
 				sscanf(p, fmt_str, &line);
 				p += chars_per_row;
 				if (parse_bitmap_line(bytes + i * wbytes,
-				    bytes_r + i * wbytes, line, dwidth) != 0)
-					return (1);
+				    bytes_r + i * wbytes, line, dwidth) != 0) {
+					rv = 1;
+					goto out;
+				}
 			}
 
 			if (add_char(curchar, map_idx, bytes,
-			    dwidth == width * 2 ? bytes_r : NULL) != 0)
-				return (1);
+			    dwidth == width * 2 ? bytes_r : NULL) != 0) {
+				rv = 1;
+				goto out;
+			}
 		}
 	}
-	return (0);
+out:
+	free(bytes);
+	free(bytes_r);
+	return (rv);
 }
 
 static int

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509010135.t811ZhiQ005594>