vtfontcvt: fix buffer overflow for non-default size .hex fonts

Sponsored by:	The FreeBSD Foundation

1 files changed, 22 insertions, 6 deletions

diff --git a/usr.bin/vtfontcvt/vtfontcvt.c b/usr.bin/vtfontcvt/vtfontcvt.c
index f2c69d2..4dadee7 100644
--- a/usr.bin/vtfontcvt/vtfontcvt.c
+++ b/usr.bin/vtfontcvt/vtfontcvt.c
@@ -300,17 +300,26 @@ parse_hex(FILE *fp, unsigned int map_idx)
 	char *ln, *p;
 	char fmt_str[8];
 	size_t length;
-	uint8_t bytes[wbytes * height], bytes_r[wbytes * height];
+	uint8_t *bytes = NULL, *bytes_r = NULL;
 	unsigned curchar = 0, i, line, chars_per_row, dwidth;
+	int rv = 0;
 
 	while ((ln = fgetln(fp, &length)) != NULL) {
 		ln[length - 1] = '\0';
 
 		if (strncmp(ln, "# Height: ", 10) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Height tag after font data");
 			height = atoi(ln + 10);
 		} else if (strncmp(ln, "# Width: ", 9) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Width tag after font data");
 			set_width(atoi(ln + 9));
 		} else if (sscanf(ln, "%4x:", &curchar)) {
+			if (bytes == NULL) {
+				bytes = xmalloc(wbytes * height);
+				bytes_r = xmalloc(wbytes * height);
+			}
 			p = ln + 5;
 			chars_per_row = strlen(p) / height;
 			dwidth = width;
@@ -323,16 +332,23 @@ parse_hex(FILE *fp, unsigned int map_idx)
 				sscanf(p, fmt_str, &line);
 				p += chars_per_row;
 				if (parse_bitmap_line(bytes + i * wbytes,
-				    bytes_r + i * wbytes, line, dwidth) != 0)
-					return (1);
+				    bytes_r + i * wbytes, line, dwidth) != 0) {
+					rv = 1;
+					goto out;
+				}
 			}
 
 			if (add_char(curchar, map_idx, bytes,
-			    dwidth == width * 2 ? bytes_r : NULL) != 0)
-				return (1);
+			    dwidth == width * 2 ? bytes_r : NULL) != 0) {
+				rv = 1;
+				goto out;
+			}
 		}
 	}
-	return (0);
+out:
+	free(bytes);
+	free(bytes_r);
+	return (rv);
 }
 
 static int