[type42] Protect against invalid number of glyphs (#46159).
* src/type42/t42parse.c (t42_parse_charstrings): Check number of `CharStrings' dictionary entries against size of data stream.
This commit is contained in:
parent
983b00ec86
commit
06c2d3324e
|
@ -1,3 +1,10 @@
|
||||||
|
2015-10-08 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[type42] Protect against invalid number of glyphs (#46159).
|
||||||
|
|
||||||
|
* src/type42/t42parse.c (t42_parse_charstrings): Check number of
|
||||||
|
`CharStrings' dictionary entries against size of data stream.
|
||||||
|
|
||||||
2015-10-08 Werner Lemberg <wl@gnu.org>
|
2015-10-08 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
[sfnt] Fix some signed overflows (#46149).
|
[sfnt] Fix some signed overflows (#46149).
|
||||||
|
|
|
@ -795,6 +795,17 @@
|
||||||
error = FT_THROW( Invalid_File_Format );
|
error = FT_THROW( Invalid_File_Format );
|
||||||
goto Fail;
|
goto Fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* we certainly need more than 4 bytes per glyph */
|
||||||
|
if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 )
|
||||||
|
{
|
||||||
|
FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs"
|
||||||
|
" (from %d to %d)\n",
|
||||||
|
loader->num_glyphs,
|
||||||
|
( limit - parser->root.cursor ) >> 2 ));
|
||||||
|
loader->num_glyphs = ( limit - parser->root.cursor ) >> 2;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
else if ( *parser->root.cursor == '<' )
|
else if ( *parser->root.cursor == '<' )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue