ref: 240c94a185cd8dae7d03059abec8a5662c35ecd3
parent: 5aff85301bdce7677766fa1367c82ff41a739637
author: suzuki toshiya <[email protected]>
date: Wed Nov 26 10:43:29 EST 2014
Fix Savannah bug #43538. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-26 suzuki toshiya <[email protected]>
+ Fix Savannah bug #43538.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+ by a broken POST table in resource-fork.
+
+2014-11-26 suzuki toshiya <[email protected]>
+
* src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak
by a broken POST table in resource-fork. Return after freeing
the buffered POST table when it is found to be broken.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1580,10 +1580,23 @@
goto Exit;
if ( FT_READ_LONG( temp ) )
goto Exit;
+ if ( 0 > temp )
+ error = FT_THROW( Invalid_Offset );
+ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+ error = FT_THROW( Array_Too_Large );
+
+ if ( error )
+ goto Exit;
+
pfb_len += temp + 6;
}
- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+ if ( 0x7FFFFFFFL - 2 < pfb_len )
+ error = FT_THROW( Array_Too_Large );
+ else
+ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+
+ if ( error )
goto Exit;
pfb_data[0] = 0x80;