ref: 0545ec1ca36b27cb928128870a83e5f668980bc5
parent: 8b819254b9fa1e686eaff8f6b214dfd8eeebe8a0
author: Werner Lemberg <[email protected]>
date: Fri Mar 20 02:49:10 EDT 2009
Protect against invalid SID values in CFFs. Problem reported by Tavis Ormandy <[email protected]>. * src/cff/cffload.c (cff_charset_load): Reject SID values larger than 64999.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2009-03-20 Werner Lemberg <[email protected]>
+
+ Protect against invalid SID values in CFFs.
+
+ Problem reported by Tavis Ormandy <[email protected]>.
+
+ * src/cff/cffload.c (cff_charset_load): Reject SID values larger
+ than 64999.
+
2009-03-19 Vincent Richomme <[email protected]>
Update WinCE Visual C project files.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -842,8 +842,21 @@
goto Exit;
for ( j = 1; j < num_glyphs; j++ )
- charset->sids[j] = FT_GET_USHORT();
+ {+ FT_UShort sid = FT_GET_USHORT();
+
+ /* this constant is given in the CFF specification */
+ if ( sid < 65000 )
+ charset->sids[j] = sid;
+ else
+ {+ FT_ERROR(( "cff_charset_load:"
+ " invalid SID value %d set to zero\n", sid ));
+ charset->sids[j] = 0;
+ }
+ }
+
FT_FRAME_EXIT();
}
break;
@@ -873,6 +886,20 @@
{if ( FT_READ_BYTE( nleft ) )
goto Exit;
+ }
+
+ /* check whether the range contains at least one valid glyph; */
+ /* the constant is given in the CFF specification */
+ if ( glyph_sid >= 65000 ) {+ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
+ error = CFF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
+ /* try to rescue some of the SIDs if `nleft' is too large */
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
+ nleft = 65000 - 1 - glyph_sid;
}
/* Fill in the range of sids -- `nleft + 1' glyphs. */