ref: 01b508f2470a482308187a26b2a9af6bddce87e7
parent: a8c243514c9e2349f8aaabcb14da2d0a5cddceea
author: Werner Lemberg <[email protected]>
date: Wed Jul 18 06:38:54 EDT 2012
Fix Savannah bug #36832. * src/type1/t1load.c (parse_charstrings): Reject negative number of glyphs.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-07-16 Werner Lemberg <[email protected]>
+
+ Fix Savannah bug #36832.
+
+ * src/type1/t1load.c (parse_charstrings): Reject negative number of
+ glyphs.
+
2012-07-13 Werner Lemberg <[email protected]>
Fix Savannah bug #36829.
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1514,6 +1514,12 @@
num_glyphs = (FT_Int)T1_ToInt( parser );
+ if ( num_glyphs < 0 )
+ {+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* some fonts like Optima-Oblique not only define the /CharStrings */
/* array but access it also */
if ( num_glyphs == 0 || parser->root.error )