ReceiveTempSMS
/
Al-Qurtas-Islamic-bank-The-Best-Bank-in-Iraq
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Protect against invalid SID values in CFFs. 

Problem reported by Tavis Ormandy <taviso@google.com>.

* src/cff/cffload.c (cff_charset_load): Reject SID values larger
than 64999.
This commit is contained in:
Werner Lemberg 2009-03-20 06:49:10 +01:00
parent 8b819254b9
commit 0545ec1ca3
2 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
2009-03-20 Werner Lemberg <wl@gnu.org>
Protect against invalid SID values in CFFs.
Problem reported by Tavis Ormandy <taviso@google.com>.
* src/cff/cffload.c (cff_charset_load): Reject SID values larger
than 64999.
2009-03-19 Vincent Richomme <richom.v@free.fr> 2009-03-19 Vincent Richomme <richom.v@free.fr>
Update WinCE Visual C project files. Update WinCE Visual C project files.

29
src/cff/cffload.c
View File

@ -842,7 +842,20 @@
goto Exit; goto Exit;
for ( j = 1; j < num_glyphs; j++ ) for ( j = 1; j < num_glyphs; j++ )
charset->sids[j] = FT_GET_USHORT(); {
FT_UShort sid = FT_GET_USHORT();
/* this constant is given in the CFF specification */
if ( sid < 65000 )
charset->sids[j] = sid;
else
{
FT_ERROR(( "cff_charset_load:"
" invalid SID value %d set to zero\n", sid ));
charset->sids[j] = 0;
}
}
FT_FRAME_EXIT(); FT_FRAME_EXIT();
} }
@ -875,6 +888,20 @@
goto Exit; goto Exit;
} }
/* check whether the range contains at least one valid glyph; */
/* the constant is given in the CFF specification */
if ( glyph_sid >= 65000 ) {
FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
error = CFF_Err_Invalid_File_Format;
goto Exit;
}
/* try to rescue some of the SIDs if `nleft' is too large */
if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
nleft = 65000 - 1 - glyph_sid;
}
/* Fill in the range of sids -- `nleft + 1' glyphs. */ /* Fill in the range of sids -- `nleft + 1' glyphs. */
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
charset->sids[j] = glyph_sid; charset->sids[j] = glyph_sid;