From b6b26f45352633770fe676fc35e79221b6b9ce27 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 9 Jun 2016 06:53:48 +0200 Subject: [PATCH] [bdf] Check number of properties (#48166). * src/bdf/bdflib.c (_bdf_parse_start): Implement. --- ChangeLog | 6 ++++++ src/bdf/bdflib.c | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 53d85e545..5c9ec1374 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2016-06-09 Werner Lemberg + + [bdf] Check number of properties (#48166). + + * src/bdf/bdflib.c (_bdf_parse_start): Implement. + 2016-06-08 Alexei Podtelezhnikov [smooth] Re-enable new line renderer on 64-bit archs. diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index 4baa9ca91..e1dce954f 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1127,7 +1127,7 @@ propid = ft_hash_str_lookup( name, &(font->proptbl) ); } - /* Allocate another property if this is overflow. */ + /* Allocate another property if this is overflowing. */ if ( font->props_used == font->props_size ) { if ( font->props_size == 0 ) @@ -1976,8 +1976,18 @@ error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; + /* at this point, `p->font' can't be NULL */ p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1] ); + /* We need at least 4 bytes per property. */ + if ( p->cnt > p->size / 4 ) + { + p->font->props_size = 0; + + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "STARTPROPERTIES" )); + error = FT_THROW( Invalid_Argument ); + goto Exit; + } if ( FT_NEW_ARRAY( p->font->props, p->cnt ) ) {