ports/opt
4
3
Fork 1
Code Issues 1 Pull Requests Activity
29e28d1d86
opt/fontforge/CVE-2010-4259.patch
Fredrik Rinnestam 5cc15be629 [notify] fontforge: patched CVE-2010-4259
2011-06-04 13:07:46 +02:00

52 lines
2.0 KiB
Diff
Raw Blame History

--- fontforge/fontforge/fvimportbdf.c 15 Apr 2010 10:47:36 -0000 1.58
+++ fontforge/fontforge/fvimportbdf.c 3 Dec 2010 21:03:38 -0000
@@ -560,7 +560,7 @@
}
if ( strcmp(tok,"FONT")==0 ) {
- if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+ if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
char *pt=buf;
int dcnt=0;
while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
@@ -616,26 +616,30 @@
sscanf(buf, "%d", &defs->metricsset );
else if ( strcmp(tok,"VVECTOR")==0 )
sscanf(buf, "%*d %d", &defs->vertical_origin );
+ /* For foundry, fontname and encname, only copy up to the buffer size */
else if ( strcmp(tok,"FOUNDRY")==0 )
- sscanf(buf, "%[^\"]", foundry );
+ sscanf(buf, "%99[^\"]", foundry );
else if ( strcmp(tok,"FONT_NAME")==0 )
- sscanf(buf, "%[^\"]", fontname );
+ sscanf(buf, "%99[^\"]", fontname );
else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
- sscanf(buf, "%[^\"]", encname );
+ sscanf(buf, "%99[^\"]", encname );
else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
enc = 0;
if ( sscanf(buf, " %d", &enc )!=1 )
sscanf(buf, "%d", &enc );
+ /* These properties should be copied up to the buffer length too */
} else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
- strcpy(family,buf);
+ strncpy(family,buf,99);
} else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
- strcpy(full,buf);
+ strncpy(full,buf,99);
} else if ( strcmp(tok,"WEIGHT_NAME")==0 )
- strcpy(weight,buf);
+ strncpy(weight,buf,99);
else if ( strcmp(tok,"SLANT")==0 )
- strcpy(italic,buf);
+ strncpy(italic,buf,99);
else if ( strcmp(tok,"COPYRIGHT")==0 ) {
- strcpy(comments,buf);
+ /* LS: Assume the size of the passed-in buffer is 1000, see below in
+ * COMMENT */
+ strncpy(comments,buf,999);
found_copyright = true;
} else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
char *pt = comments+strlen(comments);
Reference in New Issue View Git Blame Copy Permalink