[cff] Protect against invalid `hintmask' and `cntrmask' operators.

* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_hintmask>: Ensure that we don't exceed `limit' while parsing the bit masks of the `hintmask' and `cntrmask' operators.
2010-06-27 12:34:19 +02:00 · 2010-06-27 12:34:19 +02:00 · e9f0cdb6c0
parent 1c70fcbc0a
commit e9f0cdb6c0
2 changed files with 17 additions and 1 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2010-06-27  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Protect against invalid `hintmask' and `cntrmask' operators.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings)
+	<cff_op_hintmask>: Ensure that we don't exceed `limit' while parsing
+	the bit masks of the `hintmask' and `cntrmask' operators.
+
 2010-06-26  Werner Lemberg  <wl@gnu.org>

 	Fix PFR change 2010-06-24.
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@ -1341,6 +1341,14 @@

          if ( hinter )
          {
+            /* In a valid charstring there must be at least three bytes */
+            /* after `hintmask' or `cntrmask' (two for a `moveto'       */
+            /* operator and one for `endchar').  Additionally, there    */
+            /* must be space for `num_hints' bits.                      */
+
+            if ( ( ip + 3 + ( decoder->num_hints >> 8 ) ) >= limit )
+              goto Syntax_Error;
+
            if ( op == cff_op_hintmask )
              hinter->hintmask( hinter->hints,
                                builder->current->n_points,