[type1]: Improve guard against malformed data.

Based on a patch submitted by Johnson Y. Yan
<yinsen_yan@foxitsoftware.com>

* src/type1/t1load.c (read_binary_data): Check `size'.

ChangeLog

@@ -1,3 +1,11 @@
+2010-11-18  Werner Lemberg  <wl@gnu.org>
+
+	[type1]: Improve guard against malformed data.
+	Based on a patch submitted by Johnson Y. Yan
+	<yinsen_yan@foxitsoftware.com>
+
+	* src/type1/t1load.c (read_binary_data): Check `size'.
+
 2010-11-17  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] While tracing, output table checksums also.

src/type1/t1load.c

@@ -4,7 +4,8 @@
 /*                                                                         */
 /*    Type 1 font loader (body).                                           */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
+/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,   */
+/*            2010 by                                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -1045,7 +1046,8 @@
 
     if ( cur < limit && ft_isdigit( *cur ) )
     {
-      *size = T1_ToInt( parser );
+      FT_Long  s = T1_ToInt( parser );
+
 
       T1_Skip_PS_Token( parser );   /* `RD' or `-|' or something else */
 
@@ -1053,8 +1055,12 @@
       /* `RD' or `-|' token                          */
       *base = parser->root.cursor + 1;
 
-      parser->root.cursor += *size + 1;
-      return !parser->root.error;
+      if ( s >= 0 && s < limit - *base )
+      {
+        parser->root.cursor += s + 1;
+        *size = s;
+        return !parser->root.error;
+      }
     }
 
     FT_ERROR(( "read_binary_data: invalid size field\n" ));