Fix Savannah bug #30658.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total length of collected POST segments does not overrun the allocated buffer.
2010-08-06 14:11:54 +09:00 · 2010-08-06 14:11:54 +09:00 · 81f3472c0b
parent 223cb1b57c
commit 81f3472c0b
2 changed files with 13 additions and 0 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2010-08-06  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Fix Savannah bug #30658.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total
+	length of collected POST segments does not overrun the allocated
+	buffer.
+
 2010-08-06  Yuriy Kaminskiy  <yumkam@mail.ru>

 	Fix conditional usage of FT_MulFix_i386.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@ -1574,6 +1574,7 @@
      FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
                   i, offsets[i], rlen, flags ));

+      /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
      if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
        continue;

@ -1613,6 +1614,10 @@
        pfb_data[pfb_pos++] = 0;
      }

+      error = FT_Err_Cannot_Open_Resource;
+      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+        goto Exit2;
+
      error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
      if ( error )
        goto Exit2;