[type1] Fix another potential buffer overflow (#45955).

* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
`eexec' doesn't exceed `limit'.
This commit is contained in:
Werner Lemberg 2015-09-14 00:38:26 +02:00
parent ff7d640404
commit 7962a15d64
2 changed files with 19 additions and 6 deletions

View File

@ -1,3 +1,10 @@
2015-09-14 Werner Lemberg <wl@gnu.org>
[type1] Fix another potential buffer overflow (#45955).
* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
`eexec' doesn't exceed `limit'.
2015-09-13 Werner Lemberg <wl@gnu.org> 2015-09-13 Werner Lemberg <wl@gnu.org>
Replace `mkinstalldirs' with AC_PROG_MKDIR_P. Replace `mkinstalldirs' with AC_PROG_MKDIR_P.

View File

@ -334,7 +334,6 @@
/* first of all, look at the `eexec' keyword */ /* first of all, look at the `eexec' keyword */
FT_Byte* cur = parser->base_dict; FT_Byte* cur = parser->base_dict;
FT_Byte* limit = cur + parser->base_len; FT_Byte* limit = cur + parser->base_len;
FT_Byte c;
FT_Pointer pos_lf; FT_Pointer pos_lf;
FT_Bool test_cr; FT_Bool test_cr;
@ -342,8 +341,8 @@
Again: Again:
for (;;) for (;;)
{ {
c = cur[0]; if ( cur[0] == 'e' &&
if ( c == 'e' && cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */ cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */
/* whitespace + 4 chars */ /* whitespace + 4 chars */
{ {
if ( cur[1] == 'e' && if ( cur[1] == 'e' &&
@ -374,8 +373,15 @@
while ( cur < limit ) while ( cur < limit )
{ {
if ( *cur == 'e' && ft_strncmp( (char*)cur, "eexec", 5 ) == 0 ) if ( cur[0] == 'e' &&
cur + 5 < limit )
{
if ( cur[1] == 'e' &&
cur[2] == 'x' &&
cur[3] == 'e' &&
cur[4] == 'c' )
goto Found; goto Found;
}
T1_Skip_PS_Token( parser ); T1_Skip_PS_Token( parser );
if ( parser->root.error ) if ( parser->root.error )