vtfontcvt: improve .bdf verification

Previously we would crash if the BBX y-offset was outside of the font bounding box. Reported by: afl MFC with: r349100 Event: Berlin Devsummit 2019 Sponsored by: The FreeBSD Foundation
kiwichris · Jun 16, 2019 · 5703640 · 5703640
1 parent a9065ba
commit 5703640
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/usr.bin/vtfontcvt/vtfontcvt.c b/usr.bin/vtfontcvt/vtfontcvt.c
@@ -383,7 +383,8 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 		    sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox,
 		     &bboy) == 4) {
 			if (bbw < 1 || bbh < 1 || bbw > fbbw || bbh > fbbh ||
-			    bbox < fbbox || bboy < fbboy)
+			    bbox < fbbox || bboy < fbboy ||
+			    bbh + bboy > fbbh + fbboy)
 				errx(1, "broken bitmap with BBX %d %d %d %d at line %u",
 				    bbw, bbh, bbox, bboy, linenum);
 			bbwbytes = howmany(bbw, 8);