vtfontcvt

Ed Maste Mon, 31 Aug 2015 18:36:10 -0700

Author: emaste
Date: Tue Sep  1 01:35:43 2015
New Revision: 287340
URL: https://svnweb.freebsd.org/changeset/base/287340


Log:
  vtfontcvt: fix buffer overflow for non-default size .hex fonts
  
  Sponsored by: The FreeBSD Foundation

Modified:
  head/usr.bin/vtfontcvt/vtfontcvt.c

Modified: head/usr.bin/vtfontcvt/vtfontcvt.c
==============================================================================
--- head/usr.bin/vtfontcvt/vtfontcvt.c  Tue Sep  1 01:03:45 2015        
(r287339)
+++ head/usr.bin/vtfontcvt/vtfontcvt.c  Tue Sep  1 01:35:43 2015        
(r287340)
@@ -300,17 +300,26 @@ parse_hex(FILE *fp, unsigned int map_idx
        char *ln, *p;
        char fmt_str[8];
        size_t length;
-       uint8_t bytes[wbytes * height], bytes_r[wbytes * height];
+       uint8_t *bytes = NULL, *bytes_r = NULL;
        unsigned curchar = 0, i, line, chars_per_row, dwidth;
+       int rv = 0;
 
        while ((ln = fgetln(fp, &length)) != NULL) {
                ln[length - 1] = '\0';
 
                if (strncmp(ln, "# Height: ", 10) == 0) {
+                       if (bytes != NULL)
+                               errx(1, "malformed input: Height tag after font 
data");
                        height = atoi(ln + 10);
                } else if (strncmp(ln, "# Width: ", 9) == 0) {
+                       if (bytes != NULL)
+                               errx(1, "malformed input: Width tag after font 
data");
                        set_width(atoi(ln + 9));
                } else if (sscanf(ln, "%4x:", &curchar)) {
+                       if (bytes == NULL) {
+                               bytes = xmalloc(wbytes * height);
+                               bytes_r = xmalloc(wbytes * height);
+                       }
                        p = ln + 5;
                        chars_per_row = strlen(p) / height;
                        dwidth = width;
@@ -323,16 +332,23 @@ parse_hex(FILE *fp, unsigned int map_idx
                                sscanf(p, fmt_str, &line);
                                p += chars_per_row;
                                if (parse_bitmap_line(bytes + i * wbytes,
-                                   bytes_r + i * wbytes, line, dwidth) != 0)
-                                       return (1);
+                                   bytes_r + i * wbytes, line, dwidth) != 0) {
+                                       rv = 1;
+                                       goto out;
+                               }
                        }
 
                        if (add_char(curchar, map_idx, bytes,
-                           dwidth == width * 2 ? bytes_r : NULL) != 0)
-                               return (1);
+                           dwidth == width * 2 ? bytes_r : NULL) != 0) {
+                               rv = 1;
+                               goto out;
+                       }
                }
        }
-       return (0);
+out:
+       free(bytes);
+       free(bytes_r);
+       return (rv);
 }
 
 static int
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"

svn commit: r287340 - head/usr.bin/vtfontcvt

Reply via email to