--- kon2-0.3.9b.orig/font/bdf.c
+++ kon2-0.3.9b/font/bdf.c
@@ -39,14 +39,20 @@
#include <fnld.h>
extern struct fontInfo fi;
-extern forceLoad;
+extern int forceLoad;
+
+int buffer_error()
+{
+ fprintf(stderr,"buffer overflow\n");
+ exit(1);
+}
u_char *FontLoadBdf(fp)
FILE *fp;
{
char *fdata = NULL, line[256], *p, *w, reg[256];
u_char ch, ch2;
- int num, width, high, i, code, data, k, n;
+ int num, width, high, i, code = 0, data, k, n;
struct fontRegs *fReg;
struct fontLoaderRegs *fldReg;
@@ -61,23 +67,38 @@
p = line + sizeof("FONTBOUNDINGBOX");
sscanf(p, "%d %d", &width, &high);
} else if (!strncmp("CHARSET_REGISTRY", line, 16)) {
- p = line + sizeof("CHARSET_REGISTRY");
- while(*p != '"') p ++;
+ p = line + sizeof("CHARSET_REGISTRY") - 1;
+ while(*p != '"') {
+ p ++;
+ if (p - line > 255) buffer_error();
+ }
w = ++p;
- while(*p != '"') p ++;
+ while(*p != '"') {
+ p ++;
+ if (p - line > 255) buffer_error();
+ }
*p = '\0';
- strcpy(reg, w);
+ strncpy(reg, w, sizeof(reg));
} else if (!strncmp("CHARSET_ENCODING", line, 16)) {
- p = line + sizeof("CHARSET_ENCODING");
- while(*p != '"') p ++;
+ p = line + sizeof("CHARSET_ENCODING") - 1;
+ while(*p != '"') {
+ p ++;
+ if (p - line > 255) buffer_error();
+ }
w = ++p;
- while(*p != '"') p ++;
+ while(*p != '"') {
+ p ++;
+ if (p - line > 255) buffer_error();
+ }
*p = '\0';
- strcat(reg, "-");
- strcat(reg, w);
+ if (strlen(reg) + 1 + strlen(w) + 1 < sizeof(reg)) {
+ strcat(reg, "-");
+ strcat(reg, w);
+ } else
+ buffer_error();
fi.type = CodingByRegistry(reg);
} else if (!num && !strncmp("CHARS ", line, 6)) {
- p = line + sizeof("CHARS");
+ p = line + sizeof("CHARS") - 1;
sscanf(p, "%d", &num);
break;
}
@@ -162,3 +183,4 @@
exit(0);
}
#endif
+
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)