diff --git a/ChangeLog b/ChangeLog index c9c54c70d..65eae1878 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2012-03-01 Werner Lemberg + + [psaux] Fix Savannah bug #35657. + + If in function `skip_spaces' the routine `skip_comment' comes to the + end of buffer, `cur' is still increased by one, so we need to check + for `p >= limit' and not `p == limit'. + + * src/psaux/psconv.c (PS_Conv_Strtol, PS_Conv_ToFixed, + PS_Conv_ASCIIHexDecode, PS_Conv_EexecDecode): Fix boundary checking. + 2012-03-01 Werner Lemberg [truetype] Fix Savannah bug #35646. diff --git a/src/psaux/psconv.c b/src/psaux/psconv.c index 1531d8f0f..9ea7fb988 100644 --- a/src/psaux/psconv.c +++ b/src/psaux/psconv.c @@ -4,7 +4,7 @@ /* */ /* Some convenience conversions (body). */ /* */ -/* Copyright 2006, 2008, 2009 by */ +/* Copyright 2006, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -79,7 +79,7 @@ FT_Bool sign = 0; - if ( p == limit || base < 2 || base > 36 ) + if ( p >= limit || base < 2 || base > 36 ) return 0; if ( *p == '-' || *p == '+' ) @@ -150,7 +150,7 @@ FT_Bool sign = 0; - if ( p == limit ) + if ( p >= limit ) return 0; if ( *p == '-' || *p == '+' ) @@ -346,7 +346,11 @@ #if 1 - p = *cursor; + p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)( limit - p ) ) n = (FT_UInt)( limit - p ); @@ -434,6 +438,10 @@ #if 1 p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)(limit - p) ) n = (FT_UInt)(limit - p);