From f29f741efbba0a5ce2f16464f648fb8d026ed4c8 Mon Sep 17 00:00:00 2001 From: suzuki toshiya Date: Thu, 1 Jul 2010 17:31:03 +0900 Subject: [PATCH 1/2] Additional fix for Savannah bug #30248 and #30249. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer size during gathering PFB fragments embedded in LaserWriter PS font for Macintosh. Reported by Robert Swiecki. --- ChangeLog | 8 ++++++++ src/base/ftobjs.c | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/ChangeLog b/ChangeLog index 948c563fe..de3c5079e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2010-07-01 suzuki toshiya + + Additional fix for Savannah bug #30248 and #30249. + + * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer + size during gathering PFB fragments embedded in LaserWriter PS + font for Macintosh. Reported by Robert Swiecki. + 2010-06-30 Alexei Podtelezhnikov Minor optimizations by avoiding divisions. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 32d441721..9217b8767 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1552,6 +1552,8 @@ len += rlen; else { + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); @@ -1560,6 +1562,8 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; type = flags >> 8; @@ -1579,9 +1583,13 @@ pfb_pos += rlen; } + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; pfb_data[pfb_pos++] = 3; + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); From 5ef20c8c1d4de12a84b50ba497c2a358c90ec44b Mon Sep 17 00:00:00 2001 From: suzuki toshiya Date: Thu, 1 Jul 2010 18:39:04 +0900 Subject: [PATCH 2/2] Initial fix for Savannah bug #30306. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' the length of fragment declared in the POST fragment header and prevent an underflow in length calculation. Some fonts set the length to zero in spite of the exist of following 16bit `type'. Reported by Robert Swiecki. --- ChangeLog | 10 ++++++++++ src/base/ftobjs.c | 11 ++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index de3c5079e..af91e0038 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2010-07-01 suzuki toshiya + + Initial fix for Savannah bug #30306. + + * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' + the length of fragment declared in the POST fragment header + and prevent an underflow in length calculation. Some fonts + set the length to zero in spite of the exist of following + 16bit `type'. Reported by Robert Swiecki. + 2010-07-01 suzuki toshiya Additional fix for Savannah bug #30248 and #30249. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 9217b8767..7c2662f6e 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1547,7 +1547,16 @@ goto Exit; if ( FT_READ_USHORT( flags ) ) goto Exit; - rlen -= 2; /* the flags are part of the resource */ + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ + if ( rlen > 2 ) + rlen -= 2; + else + rlen = 0; + if ( ( flags >> 8 ) == type ) len += rlen; else