From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 Date: Mon, 26 Dec 2016 17:15:46 +0100 From: Alexey Gladkov To: Linux console tools development discussion Message-ID: <20161226161546.GA22155@comp-core-i7-2640m-0182e6.fortress> References: <20161120171543.GA30913@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161120171543.GA30913@localhost> Subject: Re: [kbd] [PATCH] Validate psfu headers to avoid integer overflows. X-BeenThere: kbd@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Linux console tools development discussion List-Id: Linux console tools development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2016 16:10:51 -0000 Archived-At: List-Archive: On Sun, Nov 20, 2016 at 06:15:43PM +0100, Tobias Stoeckmann wrote: > The psfu parser does not properly validate parsed values: > > * unsigned int values are casted to signed int values when > parameters are supplied, therefore they must be checked against > INT_MAX (local size_t variables are used) > * fontwidth must not be larger than INT_MAX - 7, otherwise later > alignment codes would overflow, e.g. (fontwidth + 7) / 8 > * "ftoffset + fontlen * charsize" is prone to overflow, make sure > that it does not; later on it will be checked against file size > * when parsing multiple files, make sure that the sum of all > fonts won't overflow I like the idea, but I don't like this patch. I consider it a bad idea to collect all the checks in one place. Most of them looks like black magic if you don't know the rest of source code. Right now Oleg is developing the implementation of the library which will replace this buggy code. I hope this library will be ready for next release (not upcoming release). > --- > I've sent this mail in August 2015 already. Based on the upcoming > release, it might be a good idea to re-evaluate it. I guess I lost it. Sorry. > Attached are two files which will crash the current code: > > $ setfont setfont-fpe.psfu # font width too large > Floating point exception > $ psfxtable -i psfxtable-segfault.psfu # on 32 bit archs > Segmentation fault Thanks for test cases! -- Rgrds, legion