[cff] Fix heap buffer overflow (#49858).

* src/cff/cffparse.c (cff_parser_run): Add one more stack size check.
2016-12-16 08:52:03 +01:00 · 2016-12-16 08:52:03 +01:00 · beecf80a6d
parent 01658be6fb
commit beecf80a6d
2 changed files with 14 additions and 3 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2016-12-16  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix heap buffer overflow (#49858).
+
+	* src/cff/cffparse.c (cff_parser_run): Add one more stack size
+	check.
+
 2016-12-15  Werner Lemberg  <wl@gnu.org>

 	Fix clang warnings.
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@ -1422,13 +1422,17 @@
        /* and look for it in our current list.                            */

        FT_UInt                   code;
-        FT_UInt                   num_args = (FT_UInt)
-                                             ( parser->top - parser->stack );
+        FT_UInt                   num_args;
        const CFF_Field_Handler*  field;


+        if ( (FT_UInt)( parser->top - parser->stack ) >= parser->stackSize )
+          goto Stack_Overflow;
+
+        num_args     = (FT_UInt)( parser->top - parser->stack );
        *parser->top = p;
-        code = v;
+        code         = v;
+
        if ( v == 12 )
        {
          /* two byte operator */