* src/base/ftrfork.c (FT_Raccess_Get_DataOffsets): Check `count'.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=308
2016-12-22 10:12:17 +01:00 · 2016-12-22 10:12:17 +01:00 · 7f7333990c
parent b44e6c2035
commit 7f7333990c
2 changed files with 11 additions and 1 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2016-12-22  Werner Lemberg  <wl@gnu.org>
+
+	* src/base/ftrfork.c (FT_Raccess_Get_DataOffsets): Check `count'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=308
+
 2016-12-22  Werner Lemberg  <wl@gnu.org>

 	[cff] Protect against invalid `vsindex' and `blend' values.
--- a/src/base/ftrfork.c
+++ b/src/base/ftrfork.c
@ -248,7 +248,9 @@
        *count = subcnt + 1;
        rpos  += map_offset;

-        if ( *count > 2727 )
+        /* a zero count might be valid in the resource specification, */
+        /* however, it is completely useless to us                    */
+        if ( *count < 1 || *count > 2727 )
          return FT_THROW( Invalid_Table );

        error = FT_Stream_Seek( stream, (FT_ULong)rpos );