[cff] Fix heap buffer overflow (#49858).
* src/cff/cffparse.c (cff_parser_run): Add one more stack size check.
This commit is contained in:
parent
01658be6fb
commit
beecf80a6d
|
@ -1,3 +1,10 @@
|
||||||
|
2016-12-16 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[cff] Fix heap buffer overflow (#49858).
|
||||||
|
|
||||||
|
* src/cff/cffparse.c (cff_parser_run): Add one more stack size
|
||||||
|
check.
|
||||||
|
|
||||||
2016-12-15 Werner Lemberg <wl@gnu.org>
|
2016-12-15 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
Fix clang warnings.
|
Fix clang warnings.
|
||||||
|
|
|
@ -1422,13 +1422,17 @@
|
||||||
/* and look for it in our current list. */
|
/* and look for it in our current list. */
|
||||||
|
|
||||||
FT_UInt code;
|
FT_UInt code;
|
||||||
FT_UInt num_args = (FT_UInt)
|
FT_UInt num_args;
|
||||||
( parser->top - parser->stack );
|
|
||||||
const CFF_Field_Handler* field;
|
const CFF_Field_Handler* field;
|
||||||
|
|
||||||
|
|
||||||
|
if ( (FT_UInt)( parser->top - parser->stack ) >= parser->stackSize )
|
||||||
|
goto Stack_Overflow;
|
||||||
|
|
||||||
|
num_args = (FT_UInt)( parser->top - parser->stack );
|
||||||
*parser->top = p;
|
*parser->top = p;
|
||||||
code = v;
|
code = v;
|
||||||
|
|
||||||
if ( v == 12 )
|
if ( v == 12 )
|
||||||
{
|
{
|
||||||
/* two byte operator */
|
/* two byte operator */
|
||||||
|
|
Loading…
Reference in New Issue