b17dee6714
https://bugzilla.redhat.com/show_bug.cgi?id=543905 (slightly modified) to fix CVE-2009-4228 (Stack-based buffer overflow by loading malformed .FIG files)
52 lines
1.4 KiB
Text
52 lines
1.4 KiB
Text
$NetBSD: patch-af,v 1.1 2009/12/23 14:19:58 drochner Exp $
|
|
|
|
--- fig2dev/read1_3.c.orig 2003-04-08 22:18:51.000000000 +0000
|
|
+++ fig2dev/read1_3.c
|
|
@@ -441,7 +441,7 @@ FILE *fp;
|
|
{
|
|
F_text *t;
|
|
int n;
|
|
- char buf[128];
|
|
+ char buf[512];
|
|
|
|
Text_malloc(t);
|
|
t->type = T_LEFT_JUSTIFIED;
|
|
@@ -451,21 +451,33 @@ FILE *fp;
|
|
t->pen = 0;
|
|
t->angle = 0.0;
|
|
t->next = NULL;
|
|
- n = fscanf(fp," %d %lf %d %lf %lf %d %d %[^\n]", &t->font,
|
|
+ if (!fgets(buf, sizeof(buf), fp)) {
|
|
+ put_msg("Incomplete text data");
|
|
+ free((char *) t);
|
|
+ return (NULL);
|
|
+ }
|
|
+
|
|
+ /* Note using strlen(buf) here will waste a few bytes, as the
|
|
+ various text attributes are counted into this length too. */
|
|
+ t->cstring = (char *) calloc((unsigned)(strlen(buf)+1), sizeof(char));
|
|
+ if (t->cstring == NULL)
|
|
+ return (NULL);
|
|
+ n = sscanf(buf," %d %lf %d %lf %lf %d %d %[^\n]", &t->font,
|
|
&t->size, &t->flags, &t->height, &t->length,
|
|
- &t->base_x, &t->base_y, buf);
|
|
+ &t->base_x, &t->base_y, t->cstring);
|
|
if (n != 8) {
|
|
put_msg("incomplete text data");
|
|
+ free(t->cstring);
|
|
free((char*)t);
|
|
return(NULL);
|
|
}
|
|
- t->cstring = (char *) calloc((unsigned)(strlen(buf)+1), sizeof(char));
|
|
- if (t->cstring == NULL) {
|
|
+
|
|
+ if (!strlen(t->cstring)) {
|
|
+ free(t->cstring);
|
|
put_msg(Err_mem);
|
|
free((char*) t);
|
|
return(NULL);
|
|
}
|
|
- (void)strcpy(t->cstring, buf);
|
|
if (t->size == 0) t->size = 18;
|
|
return(t);
|
|
}
|