From fd0e3f7c9856ddfeea69840df142b23940aeb326 Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Sun, 16 Jun 2019 13:35:53 +0000
Subject: [PATCH] vtfontcvt: improve .bdf verification

Previously we would crash if the BBX y-offset was outside of the font
bounding box.

Reported by:	afl
MFC with:	r349100
Event:		Berlin Devsummit 2019
Sponsored by:	The FreeBSD Foundation
---
 usr.bin/vtfontcvt/vtfontcvt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr.bin/vtfontcvt/vtfontcvt.c b/usr.bin/vtfontcvt/vtfontcvt.c
index 5dae35cb77e6..938b7dbcebec 100644
--- a/usr.bin/vtfontcvt/vtfontcvt.c
+++ b/usr.bin/vtfontcvt/vtfontcvt.c
@@ -383,7 +383,8 @@ parse_bdf(FILE *fp, unsigned int map_idx)
 		    sscanf(ln + 4, "%d %d %d %d", &bbw, &bbh, &bbox,
 		     &bboy) == 4) {
 			if (bbw < 1 || bbh < 1 || bbw > fbbw || bbh > fbbh ||
-			    bbox < fbbox || bboy < fbboy)
+			    bbox < fbbox || bboy < fbboy ||
+			    bbh + bboy > fbbh + fbboy)
 				errx(1, "broken bitmap with BBX %d %d %d %d at line %u",
 				    bbw, bbh, bbox, bboy, linenum);
 			bbwbytes = howmany(bbw, 8);