Index: dirfile.c =================================================================== RCS file: /home/x-cvs/xc/lib/font/fontfile/dirfile.c,v retrieving revision 3.15 diff -u -r3.15 dirfile.c --- dirfile.c 31 May 2002 18:45:50 -0000 3.15 +++ dirfile.c 11 Feb 2004 21:17:20 -0000 @@ -68,6 +68,9 @@ FontDirectoryPtr dir = NullFontDirectory; + if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file)) + return BadFontPath; + #ifdef FONTDIRATTRIB /* Check for font directory attributes */ #ifndef __UNIXOS2__ @@ -154,6 +157,9 @@ char dir_file[MAXFONTFILENAMELEN]; struct stat statb; + if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file)) + return FALSE; + strcpy (dir_file, dir->directory); strcat (dir_file, FontDirFile); if (stat (dir_file, &statb) == -1) @@ -202,6 +208,8 @@ continue; len = strlen (fileName) - renderer->fileSuffixLen; + if (len >= sizeof(copy)) + continue; CopyISOLatin1Lowered (copy, fileName, len); copy[len] = '\0'; name.name = copy; @@ -251,9 +259,13 @@ int status = Successful; struct stat statb; + if (strlen(directory) >= sizeof(alias_file)) + return BadFontPath; dir = *pdir; strcpy(alias_file, directory); if (!isFile) { + if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file)) + return BadFontPath; if (directory[strlen(directory) - 1] != '/') strcat(alias_file, "/"); strcat(alias_file, FontAliasFile); @@ -286,6 +298,10 @@ status = AllocError; break; case NAME: + if (strlen(lexToken) >= sizeof(alias)) { + status = BadFontPath; + break; + } strcpy(alias, lexToken); token = lexAlias(file, &lexToken); switch (token) { @@ -302,6 +318,10 @@ status = AllocError; break; case NAME: + if (strlen(lexToken) >= sizeof(font_name)) { + status = BadFontPath; + break; + } CopyISOLatin1Lowered(alias, alias, strlen(alias)); CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken)); if (!FontFileAddFontAlias (dir, alias, font_name)) Index: encparse.c =================================================================== RCS file: /home/x-cvs/xc/lib/font/fontfile/encparse.c,v retrieving revision 1.18 diff -u -r1.18 encparse.c --- encparse.c 2 Nov 2001 03:06:40 -0000 1.18 +++ encparse.c 11 Feb 2004 21:17:20 -0000 @@ -833,6 +833,7 @@ char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN], buf[MAXFONTFILENAMELEN]; int count, n; + static char format[24] = ""; /* As we don't really expect to open encodings that often, we don't take the trouble of caching encodings directories. */ @@ -848,8 +849,12 @@ } encoding = NULL; + if (!format[0]) { + sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1, + sizeof(file_name) - 1); + } for(;;) { - count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name); + count = fscanf(file, format, encoding_name, file_name); if(count == EOF) break; if(count != 2) Index: fontfile.c =================================================================== RCS file: /home/x-cvs/xc/lib/font/fontfile/fontfile.c,v retrieving revision 3.16 diff -u -r3.16 fontfile.c --- fontfile.c 31 May 2002 18:45:50 -0000 3.16 +++ fontfile.c 11 Feb 2004 21:17:20 -0000 @@ -424,11 +424,16 @@ vals.ranges = ranges; vals.nranges = nranges; - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->OpenScalable) (fpe, pFont, + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->OpenScalable) (fpe, pFont, flags, entry, fileName, &vals, format, fmask, non_cachable_font); + } /* In case rasterizer does something bad because of charset subsetting... */ @@ -497,6 +502,8 @@ dir = (FontDirectoryPtr) fpe->private; bitmap = &entry->u.bitmap; + if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) + return BadFontName; strcpy (fileName, dir->directory); strcat (fileName, bitmap->fileName); ret = (*bitmap->renderer->OpenBitmap) @@ -530,6 +537,8 @@ dir = (FontDirectoryPtr) fpe->private; bitmap = &entry->u.bitmap; + if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) + return BadFontName; strcpy (fileName, dir->directory); strcat (fileName, bitmap->fileName); ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName); @@ -891,10 +900,15 @@ vals.ranges = FontParseRanges(origName, &vals.nranges); ranges = vals.ranges; /* Make a new scaled instance */ - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->GetInfoScalable) - (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->GetInfoScalable) + (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); + } if (ranges) xfree(ranges); } } @@ -931,10 +945,15 @@ bc = &entry->u.bc; entry = bc->entry; /* Make a new scaled instance */ - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->GetInfoScalable) + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->GetInfoScalable) (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals); + } break; #endif default: