vtfontcvt: fix buffer overflow for non-default size .hex fonts

Sponsored by: The FreeBSD Foundation
svn path=/head/; revision=287340
2025-01-11 17:04:19 +01:00 · 2015-09-01 01:35:43 +00:00 · 2015-09-01 01:35:43 +00:00 · a1f0b4cf95 · 2020-12-20 02:59:44 +00:00
commit a1f0b4cf95
parent de84a5132c
1 changed files with 22 additions and 6 deletions
--- a/usr.bin/vtfontcvt/vtfontcvt.c
+++ b/usr.bin/vtfontcvt/vtfontcvt.c
@ -300,17 +300,26 @@ parse_hex(FILE *fp, unsigned int map_idx)
 	char *ln, *p;
 	char fmt_str[8];
 	size_t length;
-	uint8_t bytes[wbytes * height], bytes_r[wbytes * height];
+	uint8_t *bytes = NULL, *bytes_r = NULL;
 	unsigned curchar = 0, i, line, chars_per_row, dwidth;
+	int rv = 0;

 	while ((ln = fgetln(fp, &length)) != NULL) {
 		ln[length - 1] = '\0';

 		if (strncmp(ln, "# Height: ", 10) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Height tag after font data");
 			height = atoi(ln + 10);
 		} else if (strncmp(ln, "# Width: ", 9) == 0) {
+			if (bytes != NULL)
+				errx(1, "malformed input: Width tag after font data");
 			set_width(atoi(ln + 9));
 		} else if (sscanf(ln, "%4x:", &curchar)) {
+			if (bytes == NULL) {
+				bytes = xmalloc(wbytes * height);
+				bytes_r = xmalloc(wbytes * height);
+			}
 			p = ln + 5;
 			chars_per_row = strlen(p) / height;
 			dwidth = width;
@ -323,16 +332,23 @@ parse_hex(FILE *fp, unsigned int map_idx)
 				sscanf(p, fmt_str, &line);
 				p += chars_per_row;
 				if (parse_bitmap_line(bytes + i * wbytes,
-				    bytes_r + i * wbytes, line, dwidth) != 0)
-					return (1);
+				    bytes_r + i * wbytes, line, dwidth) != 0) {
+					rv = 1;
+					goto out;
+				}
 			}

 			if (add_char(curchar, map_idx, bytes,
-			    dwidth == width * 2 ? bytes_r : NULL) != 0)
-				return (1);
+			    dwidth == width * 2 ? bytes_r : NULL) != 0) {
+				rv = 1;
+				goto out;
+			}
 		}
 	}
-	return (0);
+out:
+	free(bytes);
+	free(bytes_r);
+	return (rv);
 }

 static int