[kbd] [PATCH] Validate psfu headers to avoid integer overflows.

Alexey Gladkov gladkov.alexey at gmail.com
Mon Dec 26 19:15:46 MSK 2016


On Sun, Nov 20, 2016 at 06:15:43PM +0100, Tobias Stoeckmann wrote:
> The psfu parser does not properly validate parsed values:
> 
> * unsigned int values are casted to signed int values when
>   parameters are supplied, therefore they must be checked against
>   INT_MAX (local size_t variables are used)
> * fontwidth must not be larger than INT_MAX - 7, otherwise later
>   alignment codes would overflow, e.g. (fontwidth + 7) / 8
> * "ftoffset + fontlen * charsize" is prone to overflow, make sure
>   that it does not; later on it will be checked against file size
> * when parsing multiple files, make sure that the sum of all
>   fonts won't overflow

I like the idea, but I don't like this patch. I consider it a bad idea to
collect all the checks in one place. Most of them looks like black magic
if you don't know the rest of source code.

Right now Oleg is developing the implementation of the library which will
replace this buggy code. I hope this library will be ready for next
release (not upcoming release).

> ---
> I've sent this mail in August 2015 already. Based on the upcoming
> release, it might be a good idea to re-evaluate it.

I guess I lost it. Sorry.

> Attached are two files which will crash the current code:
> 
> $ setfont setfont-fpe.psfu # font width too large
> Floating point exception
> $ psfxtable -i psfxtable-segfault.psfu # on 32 bit archs
> Segmentation fault

Thanks for test cases!

-- 
Rgrds, legion



More information about the kbd mailing list