svn commit: r349108 - head/usr.bin/vtfontcvt
Ed Maste
emaste at FreeBSD.org
Sun Jun 16 13:51:46 UTC 2019
Author: emaste
Date: Sun Jun 16 13:51:45 2019
New Revision: 349108
URL: https://svnweb.freebsd.org/changeset/base/349108
Log:
vtfontcvt: improve .bdf validation
Previously if we had a BBX entry that had invalid values (e.g. bounding
box outside of font bounding box) and failed sscanf (e.g., because it
had fewer than four values) we skipped the BBX value validation and then
triggered an assertion failure.
Reported by: afl
MFC with: r349100
Event: Berlin Devsummit 2019
Sponsored by: The FreeBSD Foundation
Modified:
head/usr.bin/vtfontcvt/vtfontcvt.c
Modified: head/usr.bin/vtfontcvt/vtfontcvt.c
==============================================================================
--- head/usr.bin/vtfontcvt/vtfontcvt.c Sun Jun 16 13:35:53 2019 (r349107)
+++ head/usr.bin/vtfontcvt/vtfontcvt.c Sun Jun 16 13:51:45 2019 (r349108)
@@ -379,9 +379,10 @@ parse_bdf(FILE *fp, unsigned int map_idx)
curchar = atoi(ln + 9);
} else if (strncmp(ln, "DWIDTH ", 7) == 0) {
dwidth = atoi(ln + 7);
- } else if (strncmp(ln, "BBX ", 4) == 0 &&
- sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox,
- &bboy) == 4) {
+ } else if (strncmp(ln, "BBX ", 4) == 0) {
+ if (sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox,
+ &bboy) != 4)
+ errx(1, "invalid BBX at line %u", linenum);
if (bbw < 1 || bbh < 1 || bbw > fbbw || bbh > fbbh ||
bbox < fbbox || bboy < fbboy ||
bbh + bboy > fbbh + fbboy)
More information about the svn-src-head
mailing list