[type1] Fix another potential buffer overflow (#45955).

* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for `eexec' doesn't exceed `limit'.
2015-09-14 00:38:26 +02:00 · 2015-09-14 00:38:26 +02:00 · 7962a15d64
parent ff7d640404
commit 7962a15d64
2 changed files with 19 additions and 6 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2015-09-14  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Fix another potential buffer overflow (#45955).
+
+	* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
+	`eexec' doesn't exceed `limit'.
+
 2015-09-13  Werner Lemberg  <wl@gnu.org>

 	Replace `mkinstalldirs' with AC_PROG_MKDIR_P.
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@ -334,7 +334,6 @@
      /* first of all, look at the `eexec' keyword */
      FT_Byte*    cur   = parser->base_dict;
      FT_Byte*    limit = cur + parser->base_len;
-      FT_Byte     c;
      FT_Pointer  pos_lf;
      FT_Bool     test_cr;

@ -342,9 +341,9 @@
    Again:
      for (;;)
      {
-        c = cur[0];
-        if ( c == 'e' && cur + 9 < limit )  /* 9 = 5 letters for `eexec' + */
-                                            /* whitespace + 4 chars        */
+        if ( cur[0] == 'e'   &&
+             cur + 9 < limit )      /* 9 = 5 letters for `eexec' + */
+                                    /* whitespace + 4 chars        */
        {
          if ( cur[1] == 'e' &&
               cur[2] == 'x' &&
@ -374,8 +373,15 @@

      while ( cur < limit )
      {
-        if ( *cur == 'e' && ft_strncmp( (char*)cur, "eexec", 5 ) == 0 )
-          goto Found;
+        if ( cur[0] == 'e'   &&
+             cur + 5 < limit )
+        {
+          if ( cur[1] == 'e' &&
+               cur[2] == 'x' &&
+               cur[3] == 'e' &&
+               cur[4] == 'c' )
+            goto Found;
+        }

        T1_Skip_PS_Token( parser );
        if ( parser->root.error )