From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001 From: suzuki toshiya Date: Wed, 26 Nov 2014 15:52:23 +0900 Subject: [PATCH] Fix Savannah bug #43539. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- ChangeLog | 7 +++++++ src/base/ftobjs.c | 17 +++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5ba75b6b8..8a246e87f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2014-11-26 suzuki toshiya + + Fix Savannah bug #43539. + + * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow + by a broken POST table in resource-fork. + 2014-11-26 suzuki toshiya Fix Savannah bug #43538. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index ffbbc3269..922216e78 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1617,6 +1617,11 @@ goto Exit2; if ( FT_READ_LONG( rlen ) ) goto Exit2; + if ( rlen < 0 ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } if ( FT_READ_USHORT( flags ) ) goto Exit2; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", @@ -1634,7 +1639,14 @@ rlen = 0; if ( ( flags >> 8 ) == type ) + { + if ( 0x7FFFFFFFL - rlen < len ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } len += rlen; + } else { if ( pfb_lenpos + 3 > pfb_len + 2 ) @@ -1663,6 +1675,11 @@ } error = FT_ERR( Cannot_Open_Resource ); + if ( rlen > 0x7FFFFFFFL - pfb_pos ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2;