From: Tobias Stoeckmann <tobias@stoeckmann.org>
To: kbd@lists.altlinux.org
Subject: [kbd] [PATCH] Validate psfu headers to avoid integer overflows.
Date: Fri, 28 Aug 2015 19:34:57 +0200 [thread overview]
Message-ID: <20150828173456.GA3265@localhost> (raw)
[-- Attachment #1: Type: text/plain, Size: 2168 bytes --]
The psfu parser does not properly validate parsed values:
* unsigned int values are casted to signed int values when
parameters are supplied, therefore they must be checked against
INT_MAX (local size_t variables are used)
* fontwidth must not be larger than INT_MAX - 7, otherwise later
alignment codes would overflow, e.g. (fontwidth + 7) / 8
* "ftoffset + fontlen * charsize" is prone to overflow, make sure
that it does not; later on it will be checked against file size
* when parsing multiple files, make sure that the sum of all
fonts won't overflow
---
Attached are two files which will crash the current code:
$ setfont setfont-fpe.psfu # font width too large
Floating point exception
$ psfxtable -i psfxtable-segfault.psfu # on 32 bit archs
Segmentation fault
Maybe there are more ways to trigger overflows, which makes it a
good target for fuzzing.
---
src/psffontop.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/psffontop.c b/src/psffontop.c
index 9d7ee54..e86d3cd 100644
--- a/src/psffontop.c
+++ b/src/psffontop.c
@@ -2,6 +2,7 @@
* psffontop.c - aeb@cwi.nl, 990921
*/
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -275,6 +276,27 @@ readpsffont(FILE *fontf, char **allbufp, int *allszp,
fprintf(stderr, u, progname);
exit(EX_DATAERR);
}
+ if (INT_MAX - 7 < fontwidth) {
+ char *u = _("%s: Input file: font width too large\n");
+ fprintf(stderr, u, progname);
+ exit(EX_DATAERR);
+ }
+
+ /* validate header to avoid integer overflows */
+ if ((size_t)(INT_MAX - fontpos0) < fontlen ||
+ INT_MAX / sizeof(struct unicode_list) < fontpos0 + fontlen ||
+ INT_MAX / charsize < fontlen) {
+ char *u = _("%s: too many glyphs to load\n");
+ fprintf(stderr, u, progname);
+ exit(EX_DATAERR);
+ }
+ if (ftoffset > inputbuflth ||
+ INT_MAX - ftoffset < fontlen * charsize) {
+ char *u = _("%s: Input file: bad offset\n");
+ fprintf(stderr, u, progname);
+ exit(EX_DATAERR);
+ }
+
i = ftoffset + fontlen * charsize;
if (i > inputlth || (!hastable && i != inputlth)) {
char *u = _("%s: Input file: bad input length (%d)\n");
--
2.5.0
[-- Attachment #2: setfont-fpe.psfu --]
[-- Type: application/octet-stream, Size: 32 bytes --]
[-- Attachment #3: psfxtable-segfault.psfu --]
[-- Type: application/octet-stream, Size: 39 bytes --]
next reply other threads:[~2015-08-28 17:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-28 17:34 Tobias Stoeckmann [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-11-20 17:15 [kbd] [PATCH] Validate psfu headers to avoid integer overflows Tobias Stoeckmann
2016-12-26 16:15 ` Alexey Gladkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150828173456.GA3265@localhost \
--to=tobias@stoeckmann.org \
--cc=kbd@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.