From owner-svn-src-head@freebsd.org Sun Jun 16 13:51:46 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2317D15BFB43; Sun, 16 Jun 2019 13:51:46 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B60DA820D5; Sun, 16 Jun 2019 13:51:45 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8E8A8F639; Sun, 16 Jun 2019 13:51:45 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x5GDpjag088520; Sun, 16 Jun 2019 13:51:45 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x5GDpjgh088519; Sun, 16 Jun 2019 13:51:45 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201906161351.x5GDpjgh088519@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Sun, 16 Jun 2019 13:51:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349108 - head/usr.bin/vtfontcvt X-SVN-Group: head X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: head/usr.bin/vtfontcvt X-SVN-Commit-Revision: 349108 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: B60DA820D5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.95)[-0.954,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2019 13:51:46 -0000 Author: emaste Date: Sun Jun 16 13:51:45 2019 New Revision: 349108 URL: https://svnweb.freebsd.org/changeset/base/349108 Log: vtfontcvt: improve .bdf validation Previously if we had a BBX entry that had invalid values (e.g. bounding box outside of font bounding box) and failed sscanf (e.g., because it had fewer than four values) we skipped the BBX value validation and then triggered an assertion failure. Reported by: afl MFC with: r349100 Event: Berlin Devsummit 2019 Sponsored by: The FreeBSD Foundation Modified: head/usr.bin/vtfontcvt/vtfontcvt.c Modified: head/usr.bin/vtfontcvt/vtfontcvt.c ============================================================================== --- head/usr.bin/vtfontcvt/vtfontcvt.c Sun Jun 16 13:35:53 2019 (r349107) +++ head/usr.bin/vtfontcvt/vtfontcvt.c Sun Jun 16 13:51:45 2019 (r349108) @@ -379,9 +379,10 @@ parse_bdf(FILE *fp, unsigned int map_idx) curchar = atoi(ln + 9); } else if (strncmp(ln, "DWIDTH ", 7) == 0) { dwidth = atoi(ln + 7); - } else if (strncmp(ln, "BBX ", 4) == 0 && - sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox, - &bboy) == 4) { + } else if (strncmp(ln, "BBX ", 4) == 0) { + if (sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox, + &bboy) != 4) + errx(1, "invalid BBX at line %u", linenum); if (bbw < 1 || bbh < 1 || bbw > fbbw || bbh > fbbh || bbox < fbbox || bboy < fbboy || bbh + bboy > fbbh + fbboy)