Module Name: xsrc
Committed By: wiz
Date: Tue Jan 7 07:43:47 UTC 2014
Modified Files:
xsrc/xfree/xc/lib/font/bitmap: bdfread.c
Log Message:
Additional hardening after CVE-2013-6462:
>From f8b21df399fbedd08da88752181b8a290a38d890 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <[email protected]>
Date: Mon, 23 Dec 2013 19:01:11 -0800
Subject: [PATCH:libXfont 2/2] Limit additional sscanf strings to fit buffer
sizes
None of these could currently result in buffer overflow, as the input
and output buffers were the same size, but adding limits helps ensure
we keep it that way, if we ever resize any of these in the future.
Fixes cppcheck warnings:
[lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
scanf without field width limits can crash with huge input data.
[lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
scanf without field width limits can crash with huge input data.
[lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
scanf without field width limits can crash with huge input data.
Signed-off-by: Alan Coopersmith <[email protected]>
Reviewed-by: Matthieu Herrb <[email protected]>
Reviewed-by: Jeremy Huddleston Sequoia <[email protected]>
---
src/bitmap/bdfread.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.3 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.4
--- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.3 Tue Jan 7 07:43:16 2014
+++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Jan 7 07:43:47 2014
@@ -70,6 +70,7 @@ from The Open Group.
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -549,13 +550,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
unsigned char lineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+ if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+ if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -639,7 +645,9 @@ bdfReadProperties(FontFilePtr file, Font
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLINESTR,
+ namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;
