diff options
| author | emaste <emaste@FreeBSD.org> | 2015-09-24 13:06:19 +0000 |
|---|---|---|
| committer | emaste <emaste@FreeBSD.org> | 2015-09-24 13:06:19 +0000 |
| commit | c472cfaaf0dfb7adc4e8be2fb924508f7d708cd9 (patch) | |
| tree | c6b3dac0de088b7e7fdbd794ea6edef823e8dd48 /usr.bin | |
| parent | 6dd9d3e4991d46d682f455ce3e9d618f1b025067 (diff) | |
| download | FreeBSD-src-c472cfaaf0dfb7adc4e8be2fb924508f7d708cd9.zip FreeBSD-src-c472cfaaf0dfb7adc4e8be2fb924508f7d708cd9.tar.gz | |
MFC r287340: vtfontcvt: fix buffer overflow for non-default size .hex fonts
And r287336 which introduced xmalloc.
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/vtfontcvt/vtfontcvt.c | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/usr.bin/vtfontcvt/vtfontcvt.c b/usr.bin/vtfontcvt/vtfontcvt.c index 21c519b..a0895aa 100644 --- a/usr.bin/vtfontcvt/vtfontcvt.c +++ b/usr.bin/vtfontcvt/vtfontcvt.c @@ -96,6 +96,16 @@ usage(void) exit(1); } +static void * +xmalloc(size_t size) +{ + void *m; + + if ((m = malloc(size)) == NULL) + errx(1, "memory allocation failure"); + return (m); +} + static int add_mapping(struct glyph *gl, unsigned int c, unsigned int map_idx) { @@ -104,7 +114,7 @@ add_mapping(struct glyph *gl, unsigned int c, unsigned int map_idx) mapping_total++; - mp = malloc(sizeof *mp); + mp = xmalloc(sizeof *mp); mp->m_char = c; mp->m_glyph = gl; mp->m_length = 0; @@ -163,8 +173,8 @@ add_glyph(const uint8_t *bytes, unsigned int map_idx, int fallback) } } - gl = malloc(sizeof *gl); - gl->g_data = malloc(wbytes * height); + gl = xmalloc(sizeof *gl); + gl->g_data = xmalloc(wbytes * height); memcpy(gl->g_data, bytes, wbytes * height); if (fallback) TAILQ_INSERT_HEAD(&glyphs[map_idx], gl, g_list); @@ -290,17 +300,26 @@ parse_hex(FILE *fp, unsigned int map_idx) char *ln, *p; char fmt_str[8]; size_t length; - uint8_t bytes[wbytes * height], bytes_r[wbytes * height]; + uint8_t *bytes = NULL, *bytes_r = NULL; unsigned curchar = 0, i, line, chars_per_row, dwidth; + int rv = 0; while ((ln = fgetln(fp, &length)) != NULL) { ln[length - 1] = '\0'; if (strncmp(ln, "# Height: ", 10) == 0) { + if (bytes != NULL) + errx(1, "malformed input: Height tag after font data"); height = atoi(ln + 10); } else if (strncmp(ln, "# Width: ", 9) == 0) { + if (bytes != NULL) + errx(1, "malformed input: Width tag after font data"); set_width(atoi(ln + 9)); } else if (sscanf(ln, "%4x:", &curchar)) { + if (bytes == NULL) { + bytes = xmalloc(wbytes * height); + bytes_r = xmalloc(wbytes * height); + } p = ln + 5; chars_per_row = strlen(p) / height; dwidth = width; @@ -313,16 +332,23 @@ parse_hex(FILE *fp, unsigned int map_idx) sscanf(p, fmt_str, &line); p += chars_per_row; if (parse_bitmap_line(bytes + i * wbytes, - bytes_r + i * wbytes, line, dwidth) != 0) - return (1); + bytes_r + i * wbytes, line, dwidth) != 0) { + rv = 1; + goto out; + } } if (add_char(curchar, map_idx, bytes, - dwidth == width * 2 ? bytes_r : NULL) != 0) - return (1); + dwidth == width * 2 ? bytes_r : NULL) != 0) { + rv = 1; + goto out; + } } } - return (0); +out: + free(bytes); + free(bytes_r); + return (rv); } static int |
