59 lines
1.7 KiB
Plaintext
59 lines
1.7 KiB
Plaintext
$OpenBSD: patch-f_readold_c,v 1.1 2009/12/27 22:09:24 jasper Exp $
|
|
|
|
Security fix for CVE-2009-4227.
|
|
Xfig ".fig" File Parsing Buffer Overflow
|
|
|
|
Patch from RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=543905
|
|
|
|
--- f_readold.c.pat.orig Thu Mar 29 02:23:14 2007
|
|
+++ f_readold.c Sun Dec 27 23:07:04 2009
|
|
@@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp)
|
|
F_text *t;
|
|
int n;
|
|
int dum;
|
|
- char buf[128];
|
|
+ char buf[512];
|
|
PR_SIZE tx_dim;
|
|
|
|
if ((t = create_text()) == NULL)
|
|
@@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp)
|
|
t->pen_style = -1;
|
|
t->angle = 0.0;
|
|
t->next = NULL;
|
|
+ if (!fgets(buf, sizeof(buf), fp)) {
|
|
+ file_msg("Incomplete text data");
|
|
+ free((char *) t);
|
|
+ return (NULL);
|
|
+ }
|
|
+
|
|
+ /* Note using strlen(buf) here will waste a few bytes, as the
|
|
+ various text attributes are counted into this length too. */
|
|
+ if ((t->cstring = new_string(strlen(buf))) == NULL)
|
|
+ return (NULL);
|
|
+
|
|
/* ascent and length will be recalculated later */
|
|
- n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
|
|
+ n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
|
|
&t->font, &dum, &dum, &t->ascent, &t->length,
|
|
- &t->base_x, &t->base_y, buf);
|
|
+ &t->base_x, &t->base_y, t->cstring);
|
|
if (n != 8) {
|
|
file_msg("Incomplete text data");
|
|
+ free(t->cstring);
|
|
free((char *) t);
|
|
return (NULL);
|
|
}
|
|
- if ((t->cstring = new_string(strlen(buf))) == NULL) {
|
|
+
|
|
+ if (!strlen(t->cstring)) {
|
|
+ free(t->cstring);
|
|
free((char *) t);
|
|
file_msg("Empty text string at line %d.", line_no);
|
|
return (NULL);
|
|
}
|
|
- /* put string in structure */
|
|
- strcpy(t->cstring, buf);
|
|
|
|
/* get the font struct */
|
|
t->zoom = zoomscale;
|