From 41821f8a8ae9961036101c6664ddb543eb3eaff5 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 20 Jun 2009 09:31:19 +0200
Subject: [PATCH] [psaux] Check large integers while parsing charstrings.

* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Large
integers must be followed by a `div' operator.
---
 ChangeLog            |  7 +++++++
 src/psaux/t1decode.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 9f5168631..383d6dfdc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-06-20  Werner Lemberg  <wl@gnu.org>
+
+	[psaux] Check large integers while parsing charstrings.
+
+	* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Large
+	integers must be followed by a `div' operator.
+
 2009-06-20  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Revert last change.
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index d396a6803..e6ade0edc 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -337,6 +337,7 @@
     FT_Pos           x, y, orig_x, orig_y;
     FT_Int           known_othersubr_result_cnt   = 0;
     FT_Int           unknown_othersubr_result_cnt = 0;
+    FT_Bool          large_int;
 
     T1_Hints_Funcs   hinter;
 
@@ -387,6 +388,8 @@
     if ( hinter )
       hinter->open( hinter->hints );
 
+    large_int = FALSE;
+
     /* now, execute loop */
     while ( ip < limit )
     {
@@ -531,6 +534,25 @@
                             ((FT_Long)ip[2] << 8 ) |
                                       ip[3] );
         ip += 4;
+
+        /* According to the specification, values > 32000 or < -32000 must */
+        /* be followed by a `div' operator to make the result be in the    */
+        /* range [-32000;32000].  We expect that the second argument of    */
+        /* `div' is not a large number.  Additionally, we don't handle     */
+        /* stuff like `<large1> <large2> <num> div <num> div' or           */
+        /* <large1> <num> <large2> <num> div div'.  This is probably not   */
+        /* allowed anyway.                                                 */
+        if ( value > 32000 || value < -32000 )
+        {
+          if ( large_int )
+          {
+            FT_ERROR(( "t1_decoder_parse_charstrings:" ));
+            FT_ERROR(( " no `div' after large integer\n" ));
+          }
+          else
+            large_int = TRUE;
+        }
+
         break;
 
       default:
@@ -578,6 +600,14 @@
         }
       }
 
+      if ( large_int && !( op == op_none || op == op_div ) )
+      {
+        FT_ERROR(( "t1_decoder_parse_charstrings:" ));
+        FT_ERROR(( " no `div' after large integer\n" ));
+
+        large_int = FALSE;
+      }
+
       /*********************************************************************/
       /*                                                                   */
       /*  Push value on stack, or process operator                         */
@@ -1224,6 +1254,9 @@
             FT_ERROR(( "t1_decoder_parse_charstrings: division by 0\n" ));
             goto Syntax_Error;
           }
+
+          large_int = FALSE;
+
           break;
 
         case op_callsubr: