Changeset 768 for libcacaTweet

Timestamp:

Apr 13, 2006, 7:57:19 PM (15 years ago)

Author:

Sam Hocevar

Message:

• Added a lot of sanity checks to the font parsing. It should now be secure against broken files, but it probably needs peer review.

File:

• libcaca/trunk/cucul/font.c (modified) (4 diffs)

libcaca/trunk/cucul/font.c

@@ -121 +121 @@
     }
 
+    if(size < sizeof(struct font_header))
+        return NULL;
+
     f = malloc(sizeof(struct cucul_font));
     f->private = (void *)(uintptr_t)data;
@@ -135 +138 @@
     f->header.flags = htons(f->header.flags);
 
+    if(size != 8 + f->header.control_size + f->header.data_size
+        || (f->header.bpp != 8 && f->header.bpp != 4 &&
+            f->header.bpp != 2 && f->header.bpp != 1))
+    {
+        free(f);
+        return NULL;
+    }
+
     f->block_list = malloc(f->header.blocks * sizeof(struct block_info));
     memcpy(f->block_list,
@@ -144 +155 @@
         f->block_list[i].stop = htonl(f->block_list[i].stop);
         f->block_list[i].index = htonl(f->block_list[i].index);
+
+        if(f->block_list[i].start > f->block_list[i].stop
+            || (i > 0 && f->block_list[i].start < f->block_list[i - 1].stop)
+            || f->block_list[i].index >= f->header.glyphs)
+        {
+            free(f->block_list);
+            free(f);
+            return NULL;
+        }
     }
 
@@ -156 +176 @@
         f->glyph_list[i].height = htons(f->glyph_list[i].height);
         f->glyph_list[i].data_offset = htonl(f->glyph_list[i].data_offset);
+
+        if(f->glyph_list[i].data_offset >= f->header.data_size
+            || f->glyph_list[i].data_offset
+                + f->glyph_list[i].width * f->glyph_list[i].height *
+                  f->header.bpp / 8 >= f->header.data_size)
+        {
+            free(f->glyph_list);
+            free(f->block_list);
+            free(f);
+            return NULL;
+        }
     }