Ticket #29631: patch-01-buffer-limit

File patch-01-buffer-limit, 1.1 KB (added by gnw3, 13 years ago)

Avoid buffer overflow in lib/t1lib/parseAFM.c token() and linetoken().

Line 
1diff -ur t1lib-5.1.2.orig/lib/t1lib/parseAFM.c t1lib-5.1.2/lib/t1lib/parseAFM.c
2--- t1lib-5.1.2.orig/lib/t1lib/parseAFM.c       2007-12-23 16:49:42.000000000 +0100
3+++ t1lib-5.1.2/lib/t1lib/parseAFM.c    2011-04-13 20:48:00.000000000 +0200
4@@ -179,6 +179,8 @@
5 
6 /*************************** PARSING ROUTINES **************/
7   
8+#define MAX_NAME_1 MAX_NAME-1   /* check for buffer overflow */
9+
10 /*************************** token *************************/
11 
12 /*  A "AFM File Conventions" tokenizer. That means that it will
13@@ -198,7 +200,8 @@
14     
15     idx = 0;
16     
17-    while (ch != EOF && ch != ' ' && ch != CR  && ch != LF &&
18+    while (idx < MAX_NAME_1 &&
19+          ch != EOF && ch != ' ' && ch != CR  && ch != LF &&
20           ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){
21       ident[idx++] = ch;
22       ch = fgetc(stream);
23@@ -235,7 +238,7 @@
24     while ((ch = fgetc(stream)) == ' ' || ch == '\t' );
25     
26     idx = 0;
27-    while (ch != EOF && ch != CR  && ch != LF && ch != CTRL_Z)
28+    while (idx < MAX_NAME_1 && ch != EOF && ch != CR  && ch != LF && ch != CTRL_Z)
29     {
30         ident[idx++] = ch;
31         ch = fgetc(stream);