From f1631f2db054d8f49115fda1e254a479c4cdc9fe Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 19 Jun 2009 23:50:37 +0200
Subject: [PATCH] [cff] Fix handling of reserved byte 0xFF.

* src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte
0xFF is encountered.
---
 ChangeLog          |  7 +++++++
 src/cff/cffgload.c | 14 +++-----------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index df83e9af5..61bd6149f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-06-19  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix handling of reserved byte 0xFF.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte
+	0xFF is encountered.
+
 2009-06-19  Werner Lemberg  <wl@gnu.org>
 
 	Improve debug messages for Type1 charstrings.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 03956cab8..6cb26a43e 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -938,17 +938,9 @@
             goto Syntax_Error;
           val = -( (FT_Long)v - 251 ) * 256 - *ip++ - 108;
         }
-        else
-        {
-          if ( ip + 3 >= limit )
-            goto Syntax_Error;
-          val = ( (FT_Int32)ip[0] << 24 ) |
-                ( (FT_Int32)ip[1] << 16 ) |
-                ( (FT_Int32)ip[2] <<  8 ) |
-                            ip[3];
-          ip    += 4;
-          shift  = 0;
-        }
+        else /* 255 */
+          goto Syntax_Error;
+
         if ( decoder->top - stack >= CFF_MAX_OPERANDS )
           goto Stack_Overflow;