ref: 292144b44a15c1a72f2ef76475d65b7a3a3fba67
parent: a33c013fe2dc6e65de2879682201d9c155292349
author: Werner Lemberg <[email protected]>
date: Thu Mar 1 09:54:47 EST 2012
[psaux] Fix Savannah bug #35657. If in function `skip_spaces' the routine `skip_comment' comes to the end of buffer, `cur' is still increased by one, so we need to check for `p >= limit' and not `p == limit'. * src/psaux/psconv.c (PS_Conv_Strtol, PS_Conv_ToFixed, PS_Conv_ASCIIHexDecode, PS_Conv_EexecDecode): Fix boundary checking.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2012-03-01 Werner Lemberg <[email protected]>
+ [psaux] Fix Savannah bug #35657.
+
+ If in function `skip_spaces' the routine `skip_comment' comes to the
+ end of buffer, `cur' is still increased by one, so we need to check
+ for `p >= limit' and not `p == limit'.
+
+ * src/psaux/psconv.c (PS_Conv_Strtol, PS_Conv_ToFixed,
+ PS_Conv_ASCIIHexDecode, PS_Conv_EexecDecode): Fix boundary checking.
+
+2012-03-01 Werner Lemberg <[email protected]>
+
[truetype] Fix Savannah bug #35646.
* src/truetype/ttinterp.c (Ins_MIRP): Typo, present since ages. The
--- a/src/psaux/psconv.c
+++ b/src/psaux/psconv.c
@@ -4,7 +4,7 @@
/* */
/* Some convenience conversions (body). */
/* */
-/* Copyright 2006, 2008, 2009 by */
+/* Copyright 2006, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -79,7 +79,7 @@
FT_Bool sign = 0;
- if ( p == limit || base < 2 || base > 36 )
+ if ( p >= limit || base < 2 || base > 36 )
return 0;
if ( *p == '-' || *p == '+' )
@@ -150,7 +150,7 @@
FT_Bool sign = 0;
- if ( p == limit )
+ if ( p >= limit )
return 0;
if ( *p == '-' || *p == '+' )
@@ -346,7 +346,11 @@
#if 1
- p = *cursor;
+ p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)( limit - p ) )
n = (FT_UInt)( limit - p );
@@ -434,6 +438,10 @@
#if 1
p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)(limit - p) )
n = (FT_UInt)(limit - p);