From 5966c5fc6c1941b9d936ad21eb8c8ca9e37a0ec0 Mon Sep 17 00:00:00 2001
From: gordon <gordon@FreeBSD.org>
Date: Wed, 4 Apr 2018 05:24:59 +0000
Subject: [PATCH] MFC r331981:

Limit glyph count in vtfont_load to avoid integer overflow.

Invalid font data passed to PIO_VFONT can result in an integer overflow
in glyphsize.  Characters may then be drawn on the console using glyph
map entries that point beyond the end of allocated glyph memory,
resulting in a kernel memory disclosure.

Submitted by:   emaste
Reported by:    Dr. Silvio Cesare of InfoSect
Security:       CVE-2018-6917
Security:       FreeBSD-SA-18:04.vt
Sponsored by:   The FreeBSD Foundation
---
 sys/dev/vt/vt_font.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/dev/vt/vt_font.c b/sys/dev/vt/vt_font.c
index 4c369c68bdb2..1e65e70cfe2c 100644
--- a/sys/dev/vt/vt_font.c
+++ b/sys/dev/vt/vt_font.c
@@ -42,6 +42,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font");
 
 /* Some limits to prevent abnormal fonts from being loaded. */
 #define	VTFONT_MAXMAPPINGS	65536
+#define	VTFONT_MAXGLYPHS	131072
 #define	VTFONT_MAXGLYPHSIZE	2097152
 #define	VTFONT_MAXDIMENSION	128
 
@@ -171,7 +172,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret)
 	/* Make sure the dimensions are valid. */
 	if (f->width < 1 || f->height < 1)
 		return (EINVAL);
-	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION)
+	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION ||
+	    f->glyph_count > VTFONT_MAXGLYPHS)
 		return (E2BIG);
 
 	/* Not too many mappings. */