From f29f741efbba0a5ce2f16464f648fb8d026ed4c8 Mon Sep 17 00:00:00 2001 From: suzuki toshiya Date: Thu, 1 Jul 2010 17:31:03 +0900 Subject: [PATCH] Additional fix for Savannah bug #30248 and #30249. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer size during gathering PFB fragments embedded in LaserWriter PS font for Macintosh. Reported by Robert Swiecki. --- ChangeLog | 8 ++++++++ src/base/ftobjs.c | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/ChangeLog b/ChangeLog index 948c563fe..de3c5079e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2010-07-01 suzuki toshiya + + Additional fix for Savannah bug #30248 and #30249. + + * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer + size during gathering PFB fragments embedded in LaserWriter PS + font for Macintosh. Reported by Robert Swiecki. + 2010-06-30 Alexei Podtelezhnikov Minor optimizations by avoiding divisions. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 32d441721..9217b8767 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1552,6 +1552,8 @@ len += rlen; else { + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); @@ -1560,6 +1562,8 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; type = flags >> 8; @@ -1579,9 +1583,13 @@ pfb_pos += rlen; } + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; pfb_data[pfb_pos++] = 3; + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );