vtfontcvt: improve .bdf validation

Previously if we had a BBX entry that had invalid values (e.g. bounding box outside of font bounding box) and failed sscanf (e.g., because it had fewer than four values) we skipped the BBX value validation and then triggered an assertion failure. Reported by: afl MFC with: r349100 Event: Berlin Devsummit 2019 Sponsored by: The FreeBSD Foundation
svn path=/head/; revision=349108
2024-09-06 17:18:32 +00:00 · 2019-06-16 13:51:45 +00:00 · 2019-06-16 13:51:45 +00:00 · 08584e2c48 · 2020-12-20 02:59:44 +00:00
parent fd0e3f7c98
commit 08584e2c48
1 changed files with 4 additions and 3 deletions
--- a/usr.bin/vtfontcvt/vtfontcvt.c
+++ b/usr.bin/vtfontcvt/vtfontcvt.c
@ -379,9 +379,10 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 			curchar = atoi(ln + 9);
 		} else if (strncmp(ln, "DWIDTH ", 7) == 0) {
 			dwidth = atoi(ln + 7);
-		} else if (strncmp(ln, "BBX ", 4) == 0 &&
-		    sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox,
-		     &bboy) == 4) {
+		} else if (strncmp(ln, "BBX ", 4) == 0) {
+			if (sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox,
+			     &bboy) != 4)
+				errx(1, "invalid BBX at line %u", linenum);
 			if (bbw < 1 || bbh < 1 || bbw > fbbw || bbh > fbbh ||
 			    bbox < fbbox || bboy < fbboy ||
 			    bbh + bboy > fbbh + fbboy)