summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@bluenote.herrb.com>2008-01-17 15:29:06 +0100
committerMatthieu Herrb <matthieu@bluenote.herrb.com>2008-01-17 15:29:06 +0100
commit8e133d96740d010a4fd969a8188e6e71fb2cafe2 (patch)
tree3e65f70d6b3de6b533853f32cd6b03f9b011e785
parent6de61f82728df22ea01f9659df6581b87f33f11d (diff)
Fix for CVE-2008-0006 - PCF Font parser buffer overflow.
-rw-r--r--dix/dixfonts.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 2979c6424..04f1f1b30 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -326,6 +326,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;