[type1] Protect against invalid number of subroutines (#46150).
* src/type1/t1load.c (parse_subrs): Check number of `Subrs' dictionary entries against size of data stream.
This commit is contained in:
parent
dde84f2539
commit
121122416d
|
@ -1,3 +1,10 @@
|
|||
2015-10-08 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[type1] Protect against invalid number of subroutines (#46150).
|
||||
|
||||
* src/type1/t1load.c (parse_subrs): Check number of
|
||||
`Subrs' dictionary entries against size of data stream.
|
||||
|
||||
2015-10-07 Kostya Serebryany <kcc@google.com>
|
||||
|
||||
[ftfuzzer] Add support for LLVM's LibFuzzer.
|
||||
|
|
|
@ -1420,6 +1420,21 @@
|
|||
}
|
||||
|
||||
num_subrs = (FT_Int)T1_ToInt( parser );
|
||||
if ( num_subrs < 0 )
|
||||
{
|
||||
parser->root.error = FT_THROW( Invalid_File_Format );
|
||||
return;
|
||||
}
|
||||
|
||||
/* we certainly need more than 8 bytes per subroutine */
|
||||
if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
|
||||
{
|
||||
FT_TRACE0(( "parse_subrs: adjusting number of subroutines"
|
||||
" (from %d to %d)\n",
|
||||
num_subrs,
|
||||
( parser->root.limit - parser->root.cursor ) >> 3 ));
|
||||
num_subrs = ( parser->root.limit - parser->root.cursor ) >> 3;
|
||||
}
|
||||
|
||||
/* position the parser right before the `dup' of the first subr */
|
||||
T1_Skip_PS_Token( parser ); /* `array' */
|
||||
|
|
Loading…
Reference in New Issue