forked from minhngoc25a/freetype2
[cff] Truncate the element length at the end of the stream.
See Savannah bug #30975. * src/cff/cffload.c (cff_index_access_element): `off2', the offset to the next element is truncated at the end of the stream to prevent invalid I/O. As `off1', the offset to the requested element has been checked by FT_STREAM_SEEK(), `off2' should be checked similarly.
This commit is contained in:
parent
d2d843a01c
commit
73aa20ca1d
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
||||||
|
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||||
|
|
||||||
|
[cff] Truncate the element length at the end of the stream.
|
||||||
|
See Savannah bug #30975.
|
||||||
|
|
||||||
|
* src/cff/cffload.c (cff_index_access_element): `off2', the
|
||||||
|
offset to the next element is truncated at the end of the
|
||||||
|
stream to prevent invalid I/O. As `off1', the offset to the
|
||||||
|
requested element has been checked by FT_STREAM_SEEK(),
|
||||||
|
`off2' should be checked similarly.
|
||||||
|
|
||||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||||
|
|
||||||
[cff] Ignore CID > 0xFFFFU.
|
[cff] Ignore CID > 0xFFFFU.
|
||||||
|
|
|
@ -519,6 +519,17 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* XXX: should check off2 does not exceed the end of this entry */
|
||||||
|
/* at present, only truncate off 2 at the end of this stream */
|
||||||
|
if ( idx->data_offset + off2 - 1 > stream->size )
|
||||||
|
{
|
||||||
|
FT_ERROR(( "cff_index_access_element:"
|
||||||
|
" offset to next entry (%d)"
|
||||||
|
" exceeds the end of stream (%d)\n",
|
||||||
|
off2, stream->size - idx->data_offset + 1 ));
|
||||||
|
off2 = stream->size - idx->data_offset + 1;
|
||||||
|
}
|
||||||
|
|
||||||
/* access element */
|
/* access element */
|
||||||
if ( off1 && off2 > off1 )
|
if ( off1 && off2 > off1 )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue