Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Jun 2019 17:25:14 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r349333 - head/usr.bin/vtfontcvt
Message-ID:  <201906241725.x5OHPE3f057348@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Mon Jun 24 17:25:14 2019
New Revision: 349333
URL: https://svnweb.freebsd.org/changeset/base/349333

Log:
  vtfontcvt: improve .bdf validation
  
  Previously if we had a FONTBOUNDINGBOX or DWIDTH entry that had missing
  or invalid values and and failed sscanf, we would proceeded with
  partially initialized bounding box / device width variables.
  
  Reported by:	afl (FONTBOUNDINGBOX)
  MFC with:	r349100
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/usr.bin/vtfontcvt/vtfontcvt.c

Modified: head/usr.bin/vtfontcvt/vtfontcvt.c
==============================================================================
--- head/usr.bin/vtfontcvt/vtfontcvt.c	Mon Jun 24 17:05:31 2019	(r349332)
+++ head/usr.bin/vtfontcvt/vtfontcvt.c	Mon Jun 24 17:25:14 2019	(r349333)
@@ -335,9 +335,11 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 					break;
 				}
 			}
-		} else if (strncmp(ln, "FONTBOUNDINGBOX ", 16) == 0 &&
-		    sscanf(ln + 16, "%d %d %d %d", &fbbw, &fbbh, &fbbox,
-		    &fbboy) == 4) {
+		} else if (strncmp(ln, "FONTBOUNDINGBOX ", 16) == 0) {
+			if (sscanf(ln + 16, "%d %d %d %d", &fbbw, &fbbh, &fbbox,
+			    &fbboy) != 4)
+				errx(1, "invalid FONTBOUNDINGBOX at line %u",
+				    linenum);
 			set_width(fbbw);
 			set_height(fbbh);
 			break;
@@ -353,8 +355,9 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 		linenum++;
 		ln[length - 1] = '\0';
 
-		if (strncmp(ln, "DWIDTH ", 7) == 0 &&
-		    sscanf(ln + 7, "%d %d", &dwidth, &dwy) == 2) {
+		if (strncmp(ln, "DWIDTH ", 7) == 0) {
+			if (sscanf(ln + 7, "%d %d", &dwidth, &dwy) != 2)
+				errx(1, "invalid DWIDTH at line %u", linenum);
 			if (dwy != 0 || (dwidth != fbbw && dwidth * 2 != fbbw))
 				errx(1, "bitmap with unsupported DWIDTH %d %d at line %u",
 				    dwidth, dwy, linenum);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906241725.x5OHPE3f057348>