diff --git a/ChangeLog b/ChangeLog index b42b929e0..a6465e746 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2014-11-12 Werner Lemberg + + [sfnt] Fix Savannah bug #43591. + + * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition + and multiplication overflow. + 2014-11-12 Werner Lemberg [sfnt] Fix Savannah bug #43590. diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index da6b01ba4..b37bd7dbb 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -394,9 +394,11 @@ p += 34; decoder->bit_depth = *p; - if ( decoder->strike_index_array > face->sbit_table_size || - decoder->strike_index_array + 8 * decoder->strike_index_count > - face->sbit_table_size ) + /* decoder->strike_index_array + */ + /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ + if ( decoder->strike_index_array > face->sbit_table_size || + decoder->strike_index_count > + ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) error = FT_THROW( Invalid_File_Format ); }