[type1] Fix Savannah bug #35608.

* src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short
dictionaries.

ChangeLog

@@ -1,3 +1,10 @@
+2012-02-26  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Fix Savannah bug #35608.
+
+	* src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short
+	dictionaries.
+
 2012-02-26  Werner Lemberg  <wl@gnu.org>
 
 	[bdf] Support `ENCODING -1 <n>' format.

src/type1/t1parse.c

@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Type 1 parser (body).                                                */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by             */
+/*  Copyright 1996-2005, 2008, 2009, 2012 by                               */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -467,6 +467,14 @@
     /* we now decrypt the encoded binary private dictionary */
     psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
 
+    if ( parser->private_len < 4 )
+    {
+      FT_ERROR(( "T1_Get_Private_Dict:"
+                 " invalid private dictionary section\n" ));
+      error = T1_Err_Invalid_File_Format;
+      goto Fail;
+    }
+
     /* replace the four random bytes at the beginning with whitespace */
     parser->private_dict[0] = ' ';
     parser->private_dict[1] = ' ';