|
|
a647935 |
From: Hans de Goede <j.w.r.degoede@hhs.nl>
|
|
|
a647935 |
Subject: Fix Stack-based buffer overflow by loading malformed .FIG files
|
|
|
a647935 |
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=543905
|
|
|
a647935 |
Bug-Debian: http://bugs.debian.org/559274
|
|
|
a647935 |
|
|
|
a647935 |
--- a/f_readold.c
|
|
|
a647935 |
+++ b/f_readold.c
|
|
|
a647935 |
@@ -471,7 +471,7 @@
|
|
|
a647935 |
F_text *t;
|
|
|
a647935 |
int n;
|
|
|
a647935 |
int dum;
|
|
|
a647935 |
- char buf[128];
|
|
|
a647935 |
+ char buf[512];
|
|
|
a647935 |
PR_SIZE tx_dim;
|
|
|
a647935 |
|
|
|
a647935 |
if ((t = create_text()) == NULL)
|
|
|
a647935 |
@@ -485,22 +485,34 @@
|
|
|
a647935 |
t->pen_style = -1;
|
|
|
a647935 |
t->angle = 0.0;
|
|
|
a647935 |
t->next = NULL;
|
|
|
a647935 |
+ if (!fgets(buf, sizeof(buf), fp)) {
|
|
|
a647935 |
+ file_msg("Incomplete text data");
|
|
|
a647935 |
+ free((char *) t);
|
|
|
a647935 |
+ return (NULL);
|
|
|
a647935 |
+ }
|
|
|
a647935 |
+
|
|
|
a647935 |
+ /* Note using strlen(buf) here will waste a few bytes, as the
|
|
|
a647935 |
+ various text attributes are counted into this length too. */
|
|
|
a647935 |
+ if ((t->cstring = new_string(strlen(buf))) == NULL)
|
|
|
a647935 |
+ return (NULL);
|
|
|
a647935 |
+
|
|
|
a647935 |
/* ascent and length will be recalculated later */
|
|
|
a647935 |
- n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
|
|
|
a647935 |
+ n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
|
|
|
a647935 |
&t->font, &dum, &dum, &t->ascent, &t->length,
|
|
|
a647935 |
- &t->base_x, &t->base_y, buf);
|
|
|
a647935 |
+ &t->base_x, &t->base_y, t->cstring);
|
|
|
a647935 |
if (n != 8) {
|
|
|
a647935 |
file_msg("Incomplete text data");
|
|
|
a647935 |
+ free(t->cstring);
|
|
|
a647935 |
free((char *) t);
|
|
|
a647935 |
return (NULL);
|
|
|
a647935 |
}
|
|
|
a647935 |
- if ((t->cstring = new_string(strlen(buf))) == NULL) {
|
|
|
a647935 |
+
|
|
|
a647935 |
+ if (!strlen(t->cstring)) {
|
|
|
a647935 |
+ free(t->cstring);
|
|
|
a647935 |
free((char *) t);
|
|
|
a647935 |
file_msg("Empty text string at line %d.", line_no);
|
|
|
a647935 |
return (NULL);
|
|
|
a647935 |
}
|
|
|
a647935 |
- /* put string in structure */
|
|
|
a647935 |
- strcpy(t->cstring, buf);
|
|
|
a647935 |
|
|
|
a647935 |
/* get the font struct */
|
|
|
a647935 |
t->zoom = zoomscale;
|