From 14a16e3430ce85538ba9116816cf463cf8827708 Mon Sep 17 00:00:00 2001
From: Braden Thomas <bthomas@apple.com>
Date: Tue, 8 Nov 2011 08:27:42 +0100
Subject: [PATCH] [cid] Various loading fixes.

* src/cid/cidload.c (cid_load_keyword) <default>,
(parse_font_matrix, parse_expansion_factor): Correctly check number
of dictionaries.
(cid_read_subrs): Protect against invalid values of `num_subrs'.
Assure that the elements of the `offsets' array are ascending.
---
 ChangeLog         | 10 ++++++++++
 src/cid/cidload.c | 26 ++++++++++++++++++++++----
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a5bf94e72..f40b548ef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2011-11-08  Braden Thomas  <bthomas@apple.com>
+
+	[cid] Various loading fixes.
+
+	* src/cid/cidload.c (cid_load_keyword) <default>,
+	(parse_font_matrix, parse_expansion_factor): Correctly check number
+	of dictionaries.
+	(cid_read_subrs): Protect against invalid values of `num_subrs'.
+	Assure that the elements of the `offsets' array are ascending.
+
 2011-11-05  Werner Lemberg  <wl@gnu.org>
 
 	* README: We use copyright ranges also.
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index 3bb359446..5f712bcf1 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    CID-keyed Type1 font loader (body).                                  */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by             */
+/*  Copyright 1996-2006, 2009, 2011 by                                     */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -110,7 +110,7 @@
         CID_FaceDict  dict;
 
 
-        if ( parser->num_dict < 0 )
+        if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
         {
           FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
                      keyword->ident ));
@@ -158,7 +158,7 @@
     FT_Fixed      temp_scale;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict   = face->cid.font_dicts + parser->num_dict;
       matrix = &dict->font_matrix;
@@ -249,7 +249,7 @@
     CID_FaceDict  dict;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict = face->cid.font_dicts + parser->num_dict;
 
@@ -413,12 +413,25 @@
       FT_Byte*      p;
 
 
+      /* Check for possible overflow. */
+      if ( num_subrs == FT_UINT_MAX )
+      {
+        error = CID_Err_Syntax_Error;
+        goto Fail;
+      }
+
       /* reallocate offsets array if needed */
       if ( num_subrs + 1 > max_offsets )
       {
         FT_UInt  new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
 
 
+        if ( new_max <= max_offsets )
+        {
+          error = CID_Err_Syntax_Error;
+          goto Fail;
+        }
+
         if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
           goto Fail;
 
@@ -436,6 +449,11 @@
 
       FT_FRAME_EXIT();
 
+      /* offsets must be ordered */
+      for ( count = 1; count <= num_subrs; count++ )
+        if ( offsets[count - 1] > offsets[count] )
+          goto Fail;
+
       /* now, compute the size of subrs charstrings, */
       /* allocate, and read them                     */
       data_len = offsets[num_subrs] - offsets[0];