svn commit: r349353 - head/usr.bin/vtfontcvt

[Warner Losh]

Author: imp
Date: Tue Jun 25 06:13:56 2019
New Revision: 349353
URL: https://svnweb.freebsd.org/changeset/base/349353

Log:
  Replay r349333 by emaste accidentally reverted by r349352
  
  vtfontcvt: improve .bdf validation
  
  Previously if we had a FONTBOUNDINGBOX or DWIDTH entry that had missing
  or invalid values and and failed sscanf, we would proceeded with
  partially initialized bounding box / device width variables.
  
  Reported by:	afl (FONTBOUNDINGBOX)
  MFC with:	r349100
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/usr.bin/vtfontcvt/vtfontcvt.c

Modified: head/usr.bin/vtfontcvt/vtfontcvt.c
==============================================================================
--- head/usr.bin/vtfontcvt/vtfontcvt.c	Tue Jun 25 04:50:09 2019	(r349352)
+++ head/usr.bin/vtfontcvt/vtfontcvt.c	Tue Jun 25 06:13:56 2019	(r349353)
@@ -335,9 +335,11 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 					break;
 				}
 			}
-		} else if (strncmp(ln, "FONTBOUNDINGBOX ", 16) == 0 &&
-		    sscanf(ln + 16, "%d %d %d %d", &fbbw, &fbbh, &fbbox,
-		    &fbboy) == 4) {
+		} else if (strncmp(ln, "FONTBOUNDINGBOX ", 16) == 0) {
+			if (sscanf(ln + 16, "%d %d %d %d", &fbbw, &fbbh, &fbbox,
+			    &fbboy) != 4)
+				errx(1, "invalid FONTBOUNDINGBOX at line %u",
+				    linenum);
 			set_width(fbbw);
 			set_height(fbbh);
 			break;
@@ -353,8 +355,9 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 		linenum++;
 		ln[length - 1] = '\0';
 
-		if (strncmp(ln, "DWIDTH ", 7) == 0 &&
-		    sscanf(ln + 7, "%d %d", &dwidth, &dwy) == 2) {
+		if (strncmp(ln, "DWIDTH ", 7) == 0) {
+			if (sscanf(ln + 7, "%d %d", &dwidth, &dwy) != 2)
+				errx(1, "invalid DWIDTH at line %u", linenum);
 			if (dwy != 0 || (dwidth != fbbw && dwidth * 2 != fbbw))
 				errx(1, "bitmap with unsupported DWIDTH %d %d at line %u",
 				    dwidth, dwy, linenum);