CVS commit: [netbsd-6-0] xsrc

Tue, 07 Jan 2014 10:08:11 -0800 

Module Name:    xsrc
Committed By:   bouyer
Date:           Tue Jan  7 18:02:38 UTC 2014

Modified Files:
        xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-6-0]: bdfread.c
        xsrc/xfree/xc/lib/font/bitmap [netbsd-6-0]: bdfread.c

Log Message:
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c    patch
xsrc/xfree/xc/lib/font/bitmap/bdfread.c                 patch

        Fix CVE-2013-6462: scanf without field width limits can crash
        with huge input data.
        [wiz, ticket #1011]


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
    xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
cvs rdiff -u -r1.2 -r1.2.10.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2.4.1
--- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2	Wed Jun 10 07:33:40 2009
+++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c	Tue Jan  7 18:02:37 2014
@@ -72,6 +72,7 @@ from The Open Group.
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -341,7 +342,7 @@ bdfReadCharacters(FontFilePtr file, Font
 	char        charName[100];
 	int         ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
@@ -547,13 +548,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
     unsigned char        lineBuf[BDFLINELEN];
 
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+    if (!line ||
+	sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	    !bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
     }
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+    if (!line || 
+	sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
     }
@@ -636,7 +642,9 @@ bdfReadProperties(FontFilePtr file, Font
 	while (*line && isspace(*line))
 	    line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line, 
+				BDFLINESTR BDFLINESTR BDFLINESTR,
+				namebuf, secondbuf, thirdbuf)) {
 	default:
 	    bdfError("missing '%s' parameter value\n", namebuf);
 	    goto BAILOUT;

Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.10.1
--- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2	Tue Apr  3 20:10:34 2007
+++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c	Tue Jan  7 18:02:38 2014
@@ -70,6 +70,7 @@ from The Open Group.
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -340,7 +341,7 @@ bdfReadCharacters(FontFilePtr file, Font
 	char        charName[100];
 	int         ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
@@ -549,13 +550,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
     unsigned char        lineBuf[BDFLINELEN];
 
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+    if (!line || 
+	sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	    !bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
     }
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+    if (!line ||
+	sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
     }
@@ -639,7 +645,9 @@ bdfReadProperties(FontFilePtr file, Font
 	while (*line && isspace(*line))
 	    line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line, 
+			BDFLINESTR BDFLINESTR BDFLINESTR,
+			namebuf, secondbuf, thirdbuf)) {
 	default:
 	    bdfError("missing '%s' parameter value\n", namebuf);
 	    goto BAILOUT;

Reply via email to