1453N/AFrom c8855746aec2a9b732502da0ca3258b4e701c61a Mon Sep 17 00:00:00 2001
1453N/AFrom: Peter Harris <pharris@opentext.com>
1453N/ADate: Mon, 7 Apr 2014 14:25:02 -0400
1453N/ASubject: [PATCH:libXfont] Fix buffer read overrun
1453N/A"FreeType" is only eight bytes long. The atom "FreeType\x00\x??" is
1453N/Aprobably not what the author intended.
1453N/ASigned-off-by: Peter Harris <pharris@opentext.com>
1453N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/A 1 file changed, 1 insertion(+), 1 deletion(-)
1453N/A@@ -1867,7 +1867,7 @@ FreeTypeAddProperties(FTFontPtr font, FontScalablePtr vals, FontInfoPtr info,
1453N/A info->props[i].name = MakeAtom("RASTERIZER_NAME", 15, TRUE);
1453N/A- info->props[i].value = MakeAtom("FreeType", 10, TRUE);
1453N/A+ info->props[i].value = MakeAtom("FreeType", 8, TRUE);
1453N/AFrom 371f8582a33235afa1b61d76e4fe98bdc9d7c083 Mon Sep 17 00:00:00 2001
1453N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/ADate: Sun, 20 Apr 2014 17:59:14 -0700
1453N/ASubject: [PATCH:libXfont 01/16] Check if pointer returned by BufFileCreate is
1453N/AFixes clang analyzer warning:
1453N/Abufio.c:165:13: warning: Access to field 'bufp' results in a dereference
1453N/A of a null pointer (loaded from variable 'f')
1453N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/AReviewed-by: Thomas Klausner <wiz@NetBSD.org>
1453N/A(cherry picked from commit c77a0784bdfc8c178f0742689cf6ae02a2fce37f)
1453N/A 1 file changed, 4 insertions(+), 2 deletions(-)
1453N/A@@ -162,8 +162,10 @@ BufFileOpenWrite (int fd)
1453N/A f = BufFileCreate ((char *)(long) fd, 0, BufFileRawFlush, 0, BufFileFlush);
1453N/AFrom 0a37bf2d9977db81573f300b0dc203df8fe108b5 Mon Sep 17 00:00:00 2001
1453N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/ADate: Fri, 25 Apr 2014 23:01:11 -0700
1453N/ASubject: [PATCH:libXfont 05/16] CVE-2014-0209: integer overflow of realloc()
1453N/AContent-Transfer-Encoding: 8bit
1453N/Aline in an fscanf loop. For each successful entry read (font name,
1453N/Afile name) a call is made to FontFileAddFontFile().
1453N/AFontFileAddFontFile() will add a font file entry (for the font name
1453N/Aand file) each time it’s called, by calling FontFileAddEntry().
1453N/AFontFileAddEntry() will do the actual adding. If the table it has
1453N/Ato add to is full, it will do a realloc, adding 100 more entries
1453N/Ato the table size without checking to see if that will overflow the
1453N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1453N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1453N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1453N/A(cherry picked from commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e)
1453N/A 1 file changed, 5 insertions(+)
1453N/Aindex ef7ffa5..7271603 100644
1453N/A@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
1453N/A return (FontEntryPtr) 0; /* "cannot" happen */
1453N/A if (table->used == table->size) {
1453N/A+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
1453N/A+ /* If we've read so many entries we're going to ask for 2gb
1453N/A+ or more of memory, something is so wrong with this font
1453N/A+ directory that we should just give up before we overflow. */
1453N/A newsize = table->size + 100;
1453N/A entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
1453N/AFrom 26643c0c3f4e53945516e20e00dfbb4d69a39c65 Mon Sep 17 00:00:00 2001
1453N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/ADate: Fri, 25 Apr 2014 23:01:48 -0700
1453N/ASubject: [PATCH:libXfont 06/16] CVE-2014-0209: integer overflow of realloc()
1453N/AlexAlias() reads from a file in a loop. It does this by starting with a
1453N/A64 byte buffer. If that size limit is hit, it does a realloc of the
1453N/Abuffer size << 1, basically doubling the needed length every time the
1453N/AEventually, this will shift out to 0 (for a length of ~4gig), and that
1453N/Alength will be passed on to realloc(). A length of 0 (with a valid
1453N/Apointer) causes realloc to free the buffer on most POSIX platforms,
1453N/Abut the caller will still have a pointer to it, leading to use after
1453N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1453N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1453N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1453N/A(cherry picked from commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc)
1453N/A 1 file changed, 4 insertions(+)
1453N/Aindex 0d34db9..639310c 100644
1453N/A@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
1453N/A static Bool AddFileNameAliases ( FontDirectoryPtr dir );
1453N/A static int ReadFontAlias ( char *directory, Bool isFile,
1453N/A@@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken)
1453N/A+ if (tokenSize >= (INT_MAX >> 2))
1453N/A+ /* Stop before we overflow */
1453N/A nsize = tokenSize ? (tokenSize << 1) : 64;
1453N/A nbuf = realloc(tokenBuf, nsize);
1453N/AFrom 23dcf6b1da8b5088856aef12b4a3f4581836f63a Mon Sep 17 00:00:00 2001
1453N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/ADate: Fri, 25 Apr 2014 23:02:00 -0700
1453N/ASubject: [PATCH:libXfont 07/16] CVE-2014-0210: unvalidated length in
1453N/AThe connection setup reply from the font server can include a list
1453N/Aof alternate servers to contact if this font server stops working.
1453N/AThe reply specifies a total size of all the font server names, and
1453N/Athen provides a list of names. _fs_recv_conn_setup() allocated the
1453N/Aspecified total size for copying the names to, but didn't check to
1453N/Amake sure it wasn't copying more data to that buffer than the size
1453N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1453N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1453N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1453N/A(cherry picked from commit 891e084b26837162b12f841060086a105edde86d)
1453N/A 1 file changed, 18 insertions(+), 2 deletions(-)
1453N/Aindex 92f90b2..46418bd 100644
1453N/A@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
1453N/A char *alt_save, *alt_names;
1453N/A@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
1453N/A+ size_t alt_name_len = setup->alternate_len << 2;
1453N/A alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) +
1453N/A- (setup->alternate_len << 2));
1453N/A alt_names = (char *) (setup + 1);
1453N/A@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
1453N/A alts[i].subset = alt_names[0];
1453N/A+ if (alt_len >= alt_name_len) {
1453N/A+ * Length is longer than setup->alternate_len
1453N/A+ * told us to allocate room for, assume entire
1453N/A+ * alternate list is corrupted.
1453N/A+ "invalid alt list (length %lx >= %lx)\n",
1453N/A+ (long) alt_len, (long) alt_name_len);
1453N/A memcpy (alt_save, alt_names + 2, alt_len);
1453N/A+ alt_name_len -= alt_len + 1;
1453N/A alt_names += _fs_pad_length (alt_len + 2);
1453N/A conn->numAlts = setup->num_alternates;
1453N/AFrom 647d9ea15e34779afa442d362997d92488778907 Mon Sep 17 00:00:00 2001
1453N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/ADate: Fri, 25 Apr 2014 23:02:12 -0700
1453N/ASubject: [PATCH:libXfont 08/16] CVE-2014-0210: unvalidated lengths when
1453N/A reading replies from font server
1453N/AFunctions to handle replies to font server requests were casting replies
1453N/Afrom the generic form to reply specific structs without first checking
1453N/Athat the reply was at least as long as the struct being cast to.
1453N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1453N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1453N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1453N/A(cherry picked from commit cbb64aef35960b2882be721f4b8fbaa0fb649d12)
1453N/A 1 file changed, 38 insertions(+), 6 deletions(-)
1453N/Aindex 46418bd..97b7659 100644
1453N/A@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group.
1453N/A+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
1453N/A+ * so this converts for doing size comparisons.
1453N/A+#define LENGTHOF(r) (SIZEOF(r) >> 2)
1453N/A extern void ErrorF(const char *f, ...);
1453N/A static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
1453N/A@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
1453N/A conn->reqbuffer[i].opcode);
1453N/A+#define _fs_reply_failed(rep, name, op) do { \
1453N/A+ if (rep->type == FS_Error) \
1453N/A+ fprintf (stderr, "Error: %d Request: %s\n", \
1453N/A+ ((fsError *)rep)->request, #name); \
1453N/A+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
1453N/A+ #name, rep->length, op, LENGTHOF(name)); \
1453N/A #define _fs_add_req_log(conn,op) ((conn)->current_seq++)
1453N/A #define _fs_add_rep_log(conn,rep)
1453N/A+#define _fs_reply_failed(rep,name,op)
1453N/A@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1453N/A rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
1453N/A- if (!rep || rep->type == FS_Error)
1453N/A+ if (!rep || rep->type == FS_Error ||
1453N/A+ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
1453N/A _fs_done_read (conn, rep->length << 2);
1453N/A+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
1453N/A@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1453N/A rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
1453N/A- if (!rep || rep->type == FS_Error)
1453N/A+ if (!rep || rep->type == FS_Error ||
1453N/A+ (rep->length < LENGTHOF(fsQueryXInfoReply)))
1453N/A _fs_done_read (conn, rep->length << 2);
1453N/A+ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
1453N/A@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1453N/A FontInfoRec *fi = &bfont->pfont->info;
1453N/A rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
1453N/A- if (!rep || rep->type == FS_Error)
1453N/A+ if (!rep || rep->type == FS_Error ||
1453N/A+ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
1453N/A _fs_done_read (conn, rep->length << 2);
1453N/A+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
1453N/A@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1453N/A unsigned long minchar, maxchar;
1453N/A rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
1453N/A- if (!rep || rep->type == FS_Error)
1453N/A+ if (!rep || rep->type == FS_Error ||
1453N/A+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
1453N/A _fs_done_read (conn, rep->length << 2);
1453N/A+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
1453N/A@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1453N/A rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
1453N/A- if (!rep || rep->type == FS_Error)
1453N/A+ if (!rep || rep->type == FS_Error ||
1453N/A+ (rep->length < LENGTHOF(fsListFontsReply)))
1453N/A _fs_done_read (conn, rep->length << 2);
1453N/A+ _fs_reply_failed (rep, fsListFontsReply, "<");
1453N/A data = (char *) rep + SIZEOF (fsListFontsReply);
1453N/A@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1453N/A _fs_free_props (&binfo->info);
1453N/A rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
1453N/A- if (!rep || rep->type == FS_Error)
1453N/A+ if (!rep || rep->type == FS_Error ||
1453N/A+ ((rep->nameLength != 0) &&
1453N/A+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
1453N/A binfo->status = FS_LFWI_FINISHED;
1453N/A+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
1453N/AFrom 633005ac24a44dacaf6beb3ed240ae0ea7e022d7 Mon Sep 17 00:00:00 2001
1453N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/ADate: Fri, 25 Apr 2014 23:02:25 -0700
1453N/ASubject: [PATCH:libXfont 09/16] CVE-2014-0211: Integer overflow in
1453N/A fs_get_reply/_fs_start_read
1453N/Afs_get_reply() would take any reply size, multiply it by 4 and pass to
1453N/A_fs_start_read. If that size was bigger than the current reply buffer
1453N/Asize, _fs_start_read would add it to the existing buffer size plus the
1453N/Abuffer size increment constant and realloc the buffer to that result.
1453N/AThis math could overflow, causing the code to allocate a smaller
1453N/Abuffer than the amount it was about to read into that buffer from
1453N/Athe network. It could also succeed, allowing the remote font server
1453N/Ato cause massive allocations in the X server, possibly using up all
1453N/Athe address space in a 32-bit X server, allowing the triggering of
1453N/Aother bugs in code that fails to handle malloc failure properly.
1453N/AThis patch protects against both problems, by disconnecting any
1453N/Afont server trying to feed us more than (the somewhat arbitrary)
1453N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1453N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1453N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1453N/A(cherry picked from commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b)
1453N/A 1 file changed, 18 insertions(+)
1453N/A@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
1453N/A #define LENGTHOF(r) (SIZEOF(r) >> 2)
1453N/A+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
1453N/A+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
1453N/A extern void ErrorF(const char *f, ...);
1453N/A static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
1453N/A@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
1453N/A rep = (fsGenericReply *) buf;
1453N/A+ * Refuse to accept replies longer than a maximum reasonable length,
1453N/A+ * before we pass to _fs_start_read, since it will try to resize the
1453N/A+ * incoming connection buffer to this size. Also avoids integer overflow
1453N/A+ if (rep->length > MAX_REPLY_LENGTH)
1453N/A+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
1453N/A+ " from font server\n", rep->length);
1453N/A+ _fs_connection_died (conn);
1453N/A ret = _fs_start_read (conn, rep->length << 2, &buf);
1517N/AFrom 8ca608bdb5a5af7ee705ae4c3725ac774a69018b Mon Sep 17 00:00:00 2001
1517N/AFrom: Christos Zoulas <christos@NetBSD.org>
1517N/ADate: Wed, 25 Feb 2015 21:39:30 +0100
1517N/ASubject: [PATCH:libXfont 1/4] Set close-on-exec for font file I/O.
1517N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/ASigned-off-by: Thomas Klausner <wiz@NetBSD.org>
1517N/A(cherry picked from commit d9fda3d247942292a5f24694c22337c547006e11)
1517N/A 2 files changed, 11 insertions(+), 6 deletions(-)
1517N/A@@ -36,6 +36,9 @@ in this Software without prior written authorization from The Open Group.
1517N/A FontFileOpen (const char *name)
1517N/A@@ -44,7 +47,7 @@ FontFileOpen (const char *name)
1517N/A- fd = open (name, O_BINARY);
1517N/A+ fd = open (name, O_BINARY|O_CLOEXEC);
1517N/A raw = BufFileOpenRead (fd);
1517N/Aindex bcc7b1e..859a0be 100644
1517N/A@@ -33,17 +33,19 @@ in this Software without prior written authorization from The Open Group.
1517N/A FontFileOpenWrite (const char *name)
1517N/A-#if defined(WIN32) || defined(__CYGWIN__)
1517N/A- fd = open (name, O_CREAT|O_TRUNC|O_RDWR|O_BINARY, 0666);
1517N/A+ fd = open (name, O_CREAT|O_TRUNC|O_RDWR|O_BINARY|O_CLOEXEC, 0666);
1517N/A return (FontFilePtr) BufFileOpenWrite (fd);
1517N/AFrom 1cf5752474dd3959cdd992d8f4f40fffe10291d5 Mon Sep 17 00:00:00 2001
1517N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/ADate: Fri, 6 Feb 2015 15:50:45 -0800
1517N/ASubject: [PATCH:libXfont 2/4] bdfReadProperties: property count needs range
1517N/AAvoid integer overflow or underflow when allocating memory arrays
1517N/Aby multiplying the number of properties reported for a BDF font.
1517N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1517N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1517N/A(cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
1517N/A 1 file changed, 3 insertions(+), 1 deletion(-)
1517N/Aindex 914a024..6387908 100644
1517N/A@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
1517N/A bdfError("missing 'STARTPROPERTIES'\n");
1517N/A- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
1517N/A+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
1517N/A+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
1517N/A bdfError("bad 'STARTPROPERTIES'\n");
1517N/AFrom 3b8dba7b48863d860a040cb6516f6f53028a9426 Mon Sep 17 00:00:00 2001
1517N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/ADate: Fri, 6 Feb 2015 15:54:00 -0800
1517N/ASubject: [PATCH:libXfont 3/4] bdfReadCharacters: bailout if a char's bitmap
1517N/A cannot be read [CVE-2015-1803]
1517N/APreviously would charge on ahead with a NULL pointer in ci->bits, and
1517N/Athen crash later in FontCharInkMetrics() trying to access the bits.
1517N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1517N/A(cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c)
1517N/A 1 file changed, 4 insertions(+), 1 deletion(-)
1517N/Aindex 6387908..1b29b81 100644
1517N/A@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
1517N/A- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
1517N/A+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
1517N/A+ bdfError("could not read bitmap for character '%s'\n", charName);
1517N/AFrom 6c60e85998252b641a50048a555de88bdaacd3c7 Mon Sep 17 00:00:00 2001
1517N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/ADate: Fri, 6 Mar 2015 22:54:58 -0800
1517N/ASubject: [PATCH:libXfont 4/4] bdfReadCharacters: ensure metrics fit into
1517N/A xCharInfo struct [CVE-2015-1804]
1517N/AWe use 32-bit ints to read from the bdf file, but then try to stick
1517N/Ainto a 16-bit int in the xCharInfo struct, so make sure they won't
1517N/Av2: Verify that additions won't overflow 32-bit int range either.
1517N/Av3: As Julien correctly observes, the previous check for bh & bw not
1517N/A being < 0 reduces the number of cases we need to check for overflow.
1517N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1517N/AReviewed-by: Julien Cristau <jcristau@debian.org>
1517N/A(cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744)
1517N/A 1 file changed, 24 insertions(+), 2 deletions(-)
1517N/A@@ -62,8 +62,16 @@ from The Open Group.
1517N/A-#define INT32_MAX 0x7fffffff
1517N/A+# define INT32_MAX 0x7fffffff
1517N/A+# define INT16_MIN (0 - 0x8000)
1517N/A@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
1517N/A bdfError("DWIDTH y value must be zero\n");
1517N/A+ /* xCharInfo metrics are stored as INT16 */
1517N/A+ if ((wx < 0) || (wx > INT16_MAX)) {
1517N/A+ bdfError("character '%s' has out of range width, %d\n",
1517N/A line = bdfGetLine(file, lineBuf, BDFLINELEN);
1517N/A if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
1517N/A@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
1517N/A+ /* xCharInfo metrics are read as int, but stored as INT16 */
1517N/A+ if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
1517N/A+ (bb > INT16_MAX) || (bb < INT16_MIN) ||
1517N/A+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
1517N/A+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
1517N/A+ charName, bl, (bl+bw), (bh+bb), -bb);
1517N/A line = bdfGetLine(file, lineBuf, BDFLINELEN);
1517N/A if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
1517N/A for (p = line + strlen("ATTRIBUTES ");