44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
$OpenBSD: patch-pango_glyphstring_c,v 1.1 2009/05/11 12:43:21 jasper Exp $
|
|
|
|
Security fix for CVE-2009-1194, "Pango integer overflow in heap allocation
|
|
size calculations"
|
|
Patch from upstream git, commit id: 4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
|
|
|
|
--- pango/glyphstring.c.orig Tue Dec 16 07:14:00 2008
|
|
+++ pango/glyphstring.c Mon May 11 14:31:25 2009
|
|
@@ -61,14 +61,28 @@ pango_glyph_string_set_size (PangoGlyphString *string,
|
|
while (new_len > string->space)
|
|
{
|
|
if (string->space == 0)
|
|
- string->space = 1;
|
|
+ {
|
|
+ string->space = 4;
|
|
+ }
|
|
else
|
|
- string->space *= 2;
|
|
-
|
|
- if (string->space < 0)
|
|
{
|
|
- g_warning ("glyph string length overflows maximum integer size, truncated");
|
|
- new_len = string->space = G_MAXINT - 8;
|
|
+ const guint max_space =
|
|
+ MIN (G_MAXINT, G_MAXSIZE / MAX (sizeof(PangoGlyphInfo), sizeof(gint)));
|
|
+
|
|
+ guint more_space = (guint)string->space * 2;
|
|
+
|
|
+ if (more_space > max_space)
|
|
+ {
|
|
+ more_space = max_space;
|
|
+
|
|
+ if ((guint)new_len > max_space)
|
|
+ {
|
|
+ g_error ("%s: failed to allocate glyph string of length %i\n",
|
|
+ G_STRLOC, new_len);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ string->space = more_space;
|
|
}
|
|
}
|
|
|