backends: Fix several security issues in the dvi-backend.

See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. Taken from evince commit: d4139205b010ed06310d14284e63114e88ec6de2 From: José Aliste <[email protected]>
author: infirit <[email protected]> 2014-12-10 00:58:36 +0100
committer: infirit <[email protected]> 2014-12-10 00:58:36 +0100
commit: a828cb1a5c0835d08a17c86f64d571436f93f980 (patch)
tree: 6ad1a50b5854ffe240a46f2572b170c599efbfd1 /backend/dvi/mdvi-lib/tfmfile.c
parent: b2d02d6471176fdb0e42dbe05ffaee90a933a239 (diff)
download: atril-a828cb1a5c0835d08a17c86f64d571436f93f980.tar.bz2
atril-a828cb1a5c0835d08a17c86f64d571436f93f980.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
index 73ebf26a..8c2a30b2 100644
--- a/backend/dvi/mdvi-lib/tfmfile.c
+++ b/backend/dvi/mdvi-lib/tfmfile.c
@@ -172,7 +172,8 @@ int	tfm_load_file(const char *filename, TFMInfo *info)
 	/* We read the entire TFM file into core */
 	if(fstat(fileno(in), &st) < 0)
 		return -1;
-	if(st.st_size == 0)
+	/* according to the spec, TFM files are smaller than 16K */
+	if(st.st_size == 0 || st.st_size >= 16384)
 		goto bad_tfm;
 
 	/* allocate a word-aligned buffer to hold the file */
author	infirit <[email protected]>	2014-12-10 00:58:36 +0100
committer	infirit <[email protected]>	2014-12-10 00:58:36 +0100
commit	a828cb1a5c0835d08a17c86f64d571436f93f980 (patch)
tree	6ad1a50b5854ffe240a46f2572b170c599efbfd1 /backend/dvi/mdvi-lib/tfmfile.c
parent	b2d02d6471176fdb0e42dbe05ffaee90a933a239 (diff)
download	atril-a828cb1a5c0835d08a17c86f64d571436f93f980.tar.bz2 atril-a828cb1a5c0835d08a17c86f64d571436f93f980.tar.xz