]> code.ossystems Code Review - openembedded-core.git/blob
Code Review / openembedded-core.git / blob
? search:


cc66c12452472da6bc779a5657aad14b5878a763
[openembedded-core.git] /
1 From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
3 Date: Fri, 6 Feb 2015 15:54:00 -0800
4 Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read
5  [CVE-2015-1803]
6
7 Previously would charge on ahead with a NULL pointer in ci->bits, and
8 then crash later in FontCharInkMetrics() trying to access the bits.
9
10 Found with afl-1.23b.
11
12 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13 Reviewed-by: Julien Cristau <jcristau@debian.org>
14
15 Upstream-Status: backport
16
17 Signed-off-by: Li Zhou <li.zhou@windriver.com>
18 ---
19  src/bitmap/bdfread.c |    5 ++++-
20  1 file changed, 4 insertions(+), 1 deletion(-)
21
22 diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
23 index 6387908..1b29b81 100644
24 --- a/src/bitmap/bdfread.c
25 +++ b/src/bitmap/bdfread.c
26 @@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
27             ci->metrics.descent = -bb;
28             ci->metrics.characterWidth = wx;
29             ci->bits = NULL;
30 -           bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
31 +           if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
32 +               bdfError("could not read bitmap for character '%s'\n", charName);
33 +               goto BAILOUT;
34 +           }
35             ci++;
36             ndx++;
37         } else
38 -- 
39 1.7.9.5
40
Mirror of the official openembedded-core repository