ref: 59ae73fe1658f5cf001f76b983abbdb1f1ff6dc2
parent: 5dedbc048f0efaab3d3b32fc9c60eb4567114723
author: Werner Lemberg <[email protected]>
date: Thu Oct 22 05:26:00 EDT 2015
[cid] Better check of `SubrCount' dictionary entry (#46272). * src/cid/cidload.c (cid_face_open): Add more sanity tests for `fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-22 Werner Lemberg <[email protected]>
+
+ [cid] Better check of `SubrCount' dictionary entry (#46272).
+
+ * src/cid/cidload.c (cid_face_open): Add more sanity tests for
+ `fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
+
2015-10-21 Werner Lemberg <[email protected]>
[base] Pacify compiler (#46266).
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -750,6 +750,14 @@
/* sanity tests */
+ if ( cid->fd_bytes < 0 || cid->gd_bytes < 0 )
+ {+ FT_ERROR(( "cid_parse_dict:"
+ " Invalid `FDBytes' or `GDBytes' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
/* allow at most 32bit offsets */
if ( cid->fd_bytes > 4 || cid->gd_bytes > 4 )
{@@ -769,6 +777,13 @@
CID_FaceDict dict = cid->font_dicts + n;
+ if ( dict->sd_bytes < 0 )
+ {+ FT_ERROR(( "cid_parse_dict: Invalid `SDBytes' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
if ( dict->sd_bytes > 4 )
{FT_ERROR(( "cid_parse_dict:"
@@ -785,9 +800,11 @@
goto Exit;
}
- if ( dict->sd_bytes &&
- dict->num_subrs >
- ( binary_length - dict->subrmap_offset ) / dict->sd_bytes )
+ /* `num_subrs' is scanned as a signed integer */
+ if ( (FT_Int)dict->num_subrs < 0 ||
+ ( dict->sd_bytes &&
+ dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
+ (FT_UInt)dict->sd_bytes ) )
{FT_ERROR(( "cid_parse_dict: Invalid `SubrCount' value\n" ));
error = FT_THROW( Invalid_File_Format );