Fix Savannah bug #43547.

* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values.
2014-11-06 22:32:46 +01:00 · 2014-11-06 22:32:46 +01:00 · 0e2f5d518c
parent f49a100a6c
commit 0e2f5d518c
2 changed files with 22 additions and 0 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2014-11-06  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #43547.
+
+	* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+	values.
+
 2014-11-06  Werner Lemberg  <wl@gnu.org>

 	* src/pcf/pcfread.c (pcf_read_TOC): Avoid memory leak.
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@ -154,6 +154,21 @@ THE SOFTWARE.
        break;
    }

+    /* we now check whether the `size' and `offset' values are reasonable: */
+    /* `offset' + `size' must not exceed the stream size                   */
+    tables = face->toc.tables;
+    for ( n = 0; n < toc->count; n++ )
+    {
+      /* we need two checks to avoid overflow */
+      if ( ( tables->size   > stream->size                ) ||
+           ( tables->offset > stream->size - tables->size ) )
+      {
+        error = FT_THROW( Invalid_Table );
+        goto Exit;
+      }
+      tables++;
+    }
+
 #ifdef FT_DEBUG_LEVEL_TRACE

    {