rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix Savannah bug #43540. 

* src/base/ftmac.c (parse_fond): Prevent a buffer overrun
caused by a font including too many (> 63) strings to store
names[] table.
This commit is contained in:
suzuki toshiya 2014-11-26 16:11:38 +09:00
parent 453316792f
commit 18a8f0d994
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
2014-11-26 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Fix Savannah bug #43540.
* src/base/ftmac.c (parse_fond): Prevent a buffer overrun
caused by a font including too many (> 63) strings to store
names[] table.
2014-11-26 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
* src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long

5
src/base/ftmac.c
View File

@ -440,9 +440,10 @@
style = (StyleTable*)p;
p += sizeof ( StyleTable );
string_count = EndianS16_BtoN( *(short*)(p) );
string_count = FT_MIN( 64, string_count );
p += sizeof ( short );
for ( i = 0; i < string_count && i < 64; i++ )
for ( i = 0; i < string_count; i++ )
{
names[i] = p;
p += names[i][0];
@ -459,7 +460,7 @@
ps_name[ps_name_len] = 0;
}
if ( style->indexes[face_index] > 1 &&
style->indexes[face_index] <= FT_MIN( string_count, 64 ) )
style->indexes[face_index] <= string_count )
{
unsigned char* suffixes = names[style->indexes[face_index] - 1];