[winfonts] Check alignment shift count for resource data (#45938).

* src/winfonts/winfnt.c (fnt_face_get_dll_font): Implement it.
2015-09-13 09:21:52 +02:00 · 2015-09-13 09:21:52 +02:00 · 3df92aa04c
parent e3058617f3
commit 3df92aa04c
2 changed files with 21 additions and 0 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2015-09-13  Werner Lemberg  <wl@gnu.org>
+
+	[winfonts] Check alignment shift count for resource data (#45938).
+
+	* src/winfonts/winfnt.c (fnt_face_get_dll_font): Implement it.
+
 2015-09-13  Werner Lemberg  <wl@gnu.org>

 	[type1] Fix potential buffer overflow (#45923).
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@ -320,6 +320,21 @@

        size_shift = FT_GET_USHORT_LE();

+        /* Microsoft's specification of the executable-file header format */
+        /* for `New Executable' (NE) doesn't give a limit for the         */
+        /* alignment shift count; however, in 1985, the year of the       */
+        /* specification release, only 32bit values were supported, thus  */
+        /* anything larger than 16 doesn't make sense in general, given   */
+        /* that file offsets are 16bit values, shifted by the alignment   */
+        /* shift count                                                    */
+        if ( size_shift > 16 )
+        {
+          FT_TRACE2(( "invalid alignment shift count for resource data\n" ));
+          error = FT_THROW( Invalid_File_Format );
+          goto Exit;
+        }
+
+
        for (;;)
        {
          FT_UShort  type_id, count;