ref: 4235556c16d4eb0be17a4baac1801bfd92541e0a
parent: 5f8cacd2de0afc51a4c01a358ed087847f284dda
author: cinap_lenrek <[email protected]>
date: Mon Feb 23 22:30:21 EST 2015
libdraw: check fontchar count in openmemsubfont() and readsubfont()
--- a/sys/src/libdraw/readsubfont.c
+++ b/sys/src/libdraw/readsubfont.c
@@ -18,23 +18,22 @@
if(i == nil)
return nil;
}
+ p = nil;
if(read(fd, hdr, 3*12) != 3*12){- if(ai == nil)
- freeimage(i);
- werrstr("rdsubfonfile: header read error: %r");- return nil;
+ werrstr("readsubfont: header read error: %r");+ goto Err;
}
n = atoi(hdr);
+ if(n <= 0 || n > 0x7fff){+ werrstr("readsubfont: bad fontchar count %d", n);+ goto Err;
+ }
p = malloc(6*(n+1));
if(p == nil)
goto Err;
if(read(fd, p, 6*(n+1)) != 6*(n+1)){- werrstr("rdsubfonfile: fontchar read error: %r");- Err:
- if(ai == nil)
- freeimage(i);
- free(p);
- return nil;
+ werrstr("readsubfont: fontchar read error: %r");+ goto Err;
}
fc = malloc(sizeof(Fontchar)*(n+1));
if(fc == nil)
@@ -51,6 +50,11 @@
}
free(p);
return f;
+Err:
+ if(ai == nil)
+ freeimage(i);
+ free(p);
+ return nil;
}
Subfont*
--- a/sys/src/libmemdraw/openmemsubfont.c
+++ b/sys/src/libmemdraw/openmemsubfont.c
@@ -25,6 +25,10 @@
goto Err;
}
n = atoi(hdr);
+ if(n <= 0 || n > 0x7fff){+ werrstr("openmemsubfont: bad fontchar count %d", n);+ goto Err;
+ }
p = malloc(6*(n+1));
if(p == nil)
goto Err;
@@ -46,9 +50,7 @@
return sf;
Err:
close(fd);
- if (i != nil)
- freememimage(i);
- if (p != nil)
- free(p);
+ free(p);
+ freememimage(i);
return nil;
}