Fix Savannah bug #43539.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork.
2014-11-26 15:52:23 +09:00 · 2014-11-26 15:52:23 +09:00 · 35252ae9aa
parent 240c94a185
commit 35252ae9aa
2 changed files with 24 additions and 0 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2014-11-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Fix Savannah bug #43539.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+	by a broken POST table in resource-fork.
+
 2014-11-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>

 	Fix Savannah bug #43538.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@ -1617,6 +1617,11 @@
        goto Exit2;
      if ( FT_READ_LONG( rlen ) )
        goto Exit2;
+      if ( rlen < 0 )
+      {
+        error = FT_THROW( Invalid_Offset );
+        goto Exit2;
+      }
      if ( FT_READ_USHORT( flags ) )
        goto Exit2;
      FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
@ -1634,7 +1639,14 @@
        rlen = 0;

      if ( ( flags >> 8 ) == type )
+      {
+        if ( 0x7FFFFFFFL - rlen < len )
+        {
+          error = FT_THROW( Array_Too_Large );
+          goto Exit2;
+        }
        len += rlen;
+      }
      else
      {
        if ( pfb_lenpos + 3 > pfb_len + 2 )
@ -1663,6 +1675,11 @@
      }

      error = FT_ERR( Cannot_Open_Resource );
+      if ( rlen > 0x7FFFFFFFL - pfb_pos )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto Exit2;
+      }
      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
        goto Exit2;