shithub: freetype+ttf2subf

Info  •  Files  •  Log  •  Branches

[type1, type42] Check encoding array size (#45961).

* src/type1/t1load.c (parse_encoding), src/type42/t42parse.c
(t42_parse_encoding): Do it.

git/fs: mount .git/fs: mount/attach disallowed

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,3 +1,10 @@

+2015-09-15  Werner Lemberg  <[email protected]>

+

+	[type1, type42] Check encoding array size (#45961).

+

+	* src/type1/t1load.c (parse_encoding), src/type42/t42parse.c

+	(t42_parse_encoding): Do it.

+

 2015-09-14  Alexei Podtelezhnikov  <[email protected]>

 	* src/base/ftcalc.c (FT_MulFix) [FT_LONG64]: Improve.

--- a/src/type1/t1load.c

+++ b/src/type1/t1load.c

@@ -1192,6 +1192,15 @@

       else

         count = (FT_Int)T1_ToInt( parser );

+      /* only composite fonts (which we don't support) */

+      /* can have larger values                        */

+      if ( count > 256 )

+      {

+        FT_ERROR(( "parse_encoding: invalid encoding array size\n" ));

+        parser->root.error = FT_THROW( Invalid_File_Format );

+        return;

+      }

+

       T1_Skip_Spaces( parser );

       if ( parser->root.cursor >= limit )

         return;

--- a/src/type42/t42parse.c

+++ b/src/type42/t42parse.c

@@ -332,6 +332,15 @@

       else

         count = (FT_Int)T1_ToInt( parser );

+      /* only composite fonts (which we don't support) */

+      /* can have larger values                        */

+      if ( count > 256 )

+      {

+        FT_ERROR(( "t42_parse_encoding: invalid encoding array size\n" ));

+        parser->root.error = FT_THROW( Invalid_File_Format );

+        return;

+      }

+

       T1_Skip_Spaces( parser );

       if ( parser->root.cursor >= limit )

         return;