ref: a0955a1e0642982da01bd5032322ac7d121ff4d9
parent: 691b63ae5d08db0c1085938d86c7b5c0113cfcc6
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Feb 23 22:30:21 EST 2015
libdraw: check fontchar count in openmemsubfont() and readsubfont()
--- a/sys/src/libdraw/readsubfont.c
+++ b/sys/src/libdraw/readsubfont.c
@@ -18,23 +18,22 @@
if(i == nil)
return nil;
}
+ p = nil;
if(read(fd, hdr, 3*12) != 3*12){- if(ai == nil)
- freeimage(i);
- werrstr("rdsubfonfile: header read error: %r");- return nil;
+ werrstr("readsubfont: header read error: %r");+ goto Err;
}
n = atoi(hdr);
+ if(n <= 0 || n > 0x7fff){+ werrstr("readsubfont: bad fontchar count %d", n);+ goto Err;
+ }
p = malloc(6*(n+1));
if(p == nil)
goto Err;
if(read(fd, p, 6*(n+1)) != 6*(n+1)){- werrstr("rdsubfonfile: fontchar read error: %r");- Err:
- if(ai == nil)
- freeimage(i);
- free(p);
- return nil;
+ werrstr("readsubfont: fontchar read error: %r");+ goto Err;
}
fc = malloc(sizeof(Fontchar)*(n+1));
if(fc == nil)
@@ -51,6 +50,11 @@
}
free(p);
return f;
+Err:
+ if(ai == nil)
+ freeimage(i);
+ free(p);
+ return nil;
}
Subfont*
--- a/sys/src/libmemdraw/openmemsubfont.c
+++ b/sys/src/libmemdraw/openmemsubfont.c
@@ -25,6 +25,10 @@
goto Err;
}
n = atoi(hdr);
+ if(n <= 0 || n > 0x7fff){+ werrstr("openmemsubfont: bad fontchar count %d", n);+ goto Err;
+ }
p = malloc(6*(n+1));
if(p == nil)
goto Err;
@@ -46,9 +50,7 @@
return sf;
Err:
close(fd);
- if (i != nil)
- freememimage(i);
- if (p != nil)
- free(p);
+ free(p);
+ freememimage(i);
return nil;
}
--
⑨