From be0b08e2d354138d3222b4490e2a77c6ee42f778 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Mon, 1 Jun 2026 16:46:10 +1000 Subject: [PATCH libXfont 1/3] bitscale: fix integer overflow in BitmapScaleBitmaps bytestoalloc bytestoalloc is declared as unsigned int (32-bit). When the sum of per-glyph byte counts exceeds 2^32, the value wraps around and calloc() allocates a buffer that is too small. The subsequent ScaleBitmap loop then writes past the end of the allocated buffer. Change bytestoalloc from unsigned int to size_t to match the actual allocation size type, and add an explicit overflow check in the accumulation loop to bail out if the total would exceed SIZE_MAX. This vulnerability was discovered by: Anonymous working with TrendAI Zero Day Initiative CVE-2026-56001/ZDI-CAN-30558 Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer Part-of: --- src/bitmap/bitscale.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/src/bitmap/bitscale.c b/src/bitmap/bitscale.c index 3f3c10e..5f465d1 100644 --- a/src/bitmap/bitscale.c +++ b/src/bitmap/bitscale.c @@ -1456,7 +1456,7 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */ opci; FontInfoPtr pfi; int glyph; - unsigned bytestoalloc = 0; + size_t bytestoalloc = 0; int firstCol, lastCol, firstRow, lastRow; double xform[4], inv_xform[4]; @@ -1483,8 +1483,25 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */ glyph = pf->glyph; for (i = 0; i < nchars; i++) { - if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) - bytestoalloc += BYTES_FOR_GLYPH(pci, glyph); + if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) { + size_t glyphsize = BYTES_FOR_GLYPH(pci, glyph); + if (bytestoalloc > SIZE_MAX - glyphsize) { + fprintf(stderr, + "Error: bitmap allocation overflow for scaled font\n"); + goto bail; + } + bytestoalloc += glyphsize; + } + } + + /* Reject unreasonably large bitmap allocations that could result + * from malicious fonts with extreme scale factors. 256 MiB is + * far beyond any legitimate scaled bitmap font. */ +#define BITMAP_SCALE_MAX_ALLOC (256 * 1024 * 1024) + if (bytestoalloc > BITMAP_SCALE_MAX_ALLOC) { + fprintf(stderr, + "Error: scaled bitmap size %zu exceeds limit\n", bytestoalloc); + goto bail; } /* Do we add the font malloc stuff for VALUE ADDED ? */ -- 2.55.0