ref: 60d13bd432f56421ed63c5bf14a73e006e9bf7ad
parent: bd4b8976a36fd49dc2e04516aa76687c784c4c3a
author: Werner Lemberg <[email protected]>
date: Mon Dec 21 12:27:17 EST 2015
[type1] Avoid shift of negative numbers (#46732). * src/type1/t1load.c (parse_subrs): Do it.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-21 Werner Lemberg <[email protected]>
+
+ [type1] Avoid shift of negative numbers (#46732).
+
+ * src/type1/t1load.c (parse_subrs): Do it.
+
2015-12-20 Werner Lemberg <[email protected]>
[type1, psaux] Handle large values of num_subrs correctly (#46692).
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1433,7 +1433,8 @@
}
/* we certainly need more than 8 bytes per subroutine */
- if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+ if ( parser->root.limit > parser->root.cursor &&
+ num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
{/*
* There are two possibilities. Either the font contains an invalid