diff options
author | Matthieu Herrb <matthieu@bluenote.herrb.com> | 2008-01-17 15:29:06 +0100 |
---|---|---|
committer | Matthieu Herrb <matthieu@bluenote.herrb.com> | 2008-01-17 15:29:06 +0100 |
commit | 8e133d96740d010a4fd969a8188e6e71fb2cafe2 (patch) | |
tree | 3e65f70d6b3de6b533853f32cd6b03f9b011e785 | |
parent | 6de61f82728df22ea01f9659df6581b87f33f11d (diff) |
Fix for CVE-2008-0006 - PCF Font parser buffer overflow.
-rw-r--r-- | dix/dixfonts.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/dix/dixfonts.c b/dix/dixfonts.c index 2979c6424..04f1f1b30 100644 --- a/dix/dixfonts.c +++ b/dix/dixfonts.c @@ -326,6 +326,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; |