Fix Savannah bug #30656.
* src/type42/t42parse.c (t42_parse_sfnts): Protect against negative string_size. Fix comparison.
This commit is contained in:
parent
d9b3e39484
commit
c06da1ad34
|
@ -1,3 +1,11 @@
|
|||
2010-08-05 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
Fix Savannah bug #30656.
|
||||
|
||||
* src/type42/t42parse.c (t42_parse_sfnts): Protect against negative
|
||||
string_size.
|
||||
Fix comparison.
|
||||
|
||||
2010-08-05 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[cff] Don't use any values in decoder after parsing error.
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
/* */
|
||||
/* Type 42 font parser (body). */
|
||||
/* */
|
||||
/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
|
||||
/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
|
||||
/* Roberto Alameda. */
|
||||
/* */
|
||||
/* This file is part of the FreeType project, and may only be used, */
|
||||
|
@ -577,6 +577,12 @@
|
|||
}
|
||||
|
||||
string_size = T1_ToInt( parser );
|
||||
if ( string_size < 0 )
|
||||
{
|
||||
FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
|
||||
error = T42_Err_Invalid_File_Format;
|
||||
goto Fail;
|
||||
}
|
||||
|
||||
T1_Skip_PS_Token( parser ); /* `RD' */
|
||||
if ( parser->root.error )
|
||||
|
@ -584,13 +590,14 @@
|
|||
|
||||
string_buf = parser->root.cursor + 1; /* one space after `RD' */
|
||||
|
||||
parser->root.cursor += string_size + 1;
|
||||
if ( parser->root.cursor >= limit )
|
||||
if ( limit - parser->root.cursor < string_size )
|
||||
{
|
||||
FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
|
||||
error = T42_Err_Invalid_File_Format;
|
||||
goto Fail;
|
||||
}
|
||||
else
|
||||
parser->root.cursor += string_size + 1;
|
||||
}
|
||||
|
||||
if ( !string_buf )
|
||||
|
|
Loading…
Reference in New Issue