ref: 257c270bd25e15890190a28a1456e7623bba4439
parent: 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891
author: Werner Lemberg <[email protected]>
date: Wed Nov 12 16:42:13 EST 2014
[sfnt] Fix Savannah bug #43591. * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition and multiplication overflow.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-12 Werner Lemberg <[email protected]>
+ [sfnt] Fix Savannah bug #43591.
+
+ * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition
+ and multiplication overflow.
+
+2014-11-12 Werner Lemberg <[email protected]>
+
[sfnt] Fix Savannah bug #43590.
* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -394,9 +394,11 @@
p += 34;
decoder->bit_depth = *p;
- if ( decoder->strike_index_array > face->sbit_table_size ||
- decoder->strike_index_array + 8 * decoder->strike_index_count >
- face->sbit_table_size )
+ /* decoder->strike_index_array + */
+ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */
+ if ( decoder->strike_index_array > face->sbit_table_size ||
+ decoder->strike_index_count >
+ ( face->sbit_table_size - decoder->strike_index_array ) / 8 )
error = FT_THROW( Invalid_File_Format );
}