From 18b552f6aeb84dc6fb5f9b8a3b37e0d4414de45e Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sun, 27 Jun 2010 15:41:02 +0200 Subject: [PATCH] [cff] Really fix `hintmask' and `cntrmask' limit check. * src/cff/cffgload.c (cff_decoder_parse_charstrings) : Fix thinko and handle tracing also. --- ChangeLog | 7 +++++++ src/cff/cffgload.c | 18 ++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index c36a90943..087ce1c9e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2010-06-27 Werner Lemberg + + [cff] Really fix `hintmask' and `cntrmask' limit check. + + * src/cff/cffgload.c (cff_decoder_parse_charstrings) + : Fix thinko and handle tracing also. + 2010-06-27 Werner Lemberg Fix valgrind warning. diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c index e77e2801d..5459e67b9 100644 --- a/src/cff/cffgload.c +++ b/src/cff/cffgload.c @@ -1339,16 +1339,16 @@ decoder->num_hints += num_args / 2; } + /* In a valid charstring there must be at least three bytes */ + /* after `hintmask' or `cntrmask' (two for a `moveto' */ + /* operator and one for `endchar'). Additionally, there */ + /* must be space for `num_hints' bits. */ + + if ( ( ip + 3 + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit ) + goto Syntax_Error; + if ( hinter ) { - /* In a valid charstring there must be at least three bytes */ - /* after `hintmask' or `cntrmask' (two for a `moveto' */ - /* operator and one for `endchar'). Additionally, there */ - /* must be space for `num_hints' bits. */ - - if ( ( ip + 3 + ( decoder->num_hints >> 8 ) ) >= limit ) - goto Syntax_Error; - if ( op == cff_op_hintmask ) hinter->hintmask( hinter->hints, builder->current->n_points, @@ -1377,8 +1377,6 @@ #else ip += ( decoder->num_hints + 7 ) >> 3; #endif - if ( ip >= limit ) - goto Syntax_Error; args = stack; break;