Fix Savannah bug #43538.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork.
2014-11-26 15:43:29 +09:00 · 2014-11-26 15:43:29 +09:00 · 240c94a185
parent 5aff85301b
commit 240c94a185
2 changed files with 21 additions and 1 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2014-11-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Fix Savannah bug #43538.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+	by a broken POST table in resource-fork.
+
 2014-11-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>

 	* src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@ -1580,10 +1580,23 @@
        goto Exit;
      if ( FT_READ_LONG( temp ) )
        goto Exit;
+      if ( 0 > temp )
+        error = FT_THROW( Invalid_Offset );
+      else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+        error = FT_THROW( Array_Too_Large );
+
+      if ( error )
+        goto Exit;
+
      pfb_len += temp + 6;
    }

-    if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+    if ( 0x7FFFFFFFL - 2 < pfb_len )
+      error = FT_THROW( Array_Too_Large );
+    else
+      error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+
+    if ( error )
      goto Exit;

    pfb_data[0] = 0x80;