ref: 73aa20ca1d86f6c838bd534cda741adc4cfa7aee
parent: d2d843a01ce7815c11458eb0c1a319a525139af1
author: suzuki toshiya <[email protected]>
date: Sun Sep 19 21:30:38 EDT 2010
[cff] Truncate the element length at the end of the stream. See Savannah bug #30975. * src/cff/cffload.c (cff_index_access_element): `off2', the offset to the next element is truncated at the end of the stream to prevent invalid I/O. As `off1', the offset to the requested element has been checked by FT_STREAM_SEEK(), `off2' should be checked similarly.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,15 @@
2010-09-19 suzuki toshiya <[email protected]>
+
+ [cff] Truncate the element length at the end of the stream.
+ See Savannah bug #30975.
+
+ * src/cff/cffload.c (cff_index_access_element): `off2', the
+ offset to the next element is truncated at the end of the
+ stream to prevent invalid I/O. As `off1', the offset to the
+ requested element has been checked by FT_STREAM_SEEK(),
+ `off2' should be checked similarly.
+
+2010-09-19 suzuki toshiya <[email protected]>
[cff] Ignore CID > 0xFFFFU.
See Savannah bug #30975.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -519,6 +519,17 @@
}
}
+ /* XXX: should check off2 does not exceed the end of this entry */
+ /* at present, only truncate off 2 at the end of this stream */
+ if ( idx->data_offset + off2 - 1 > stream->size )
+ {+ FT_ERROR(( "cff_index_access_element:"
+ " offset to next entry (%d)"
+ " exceeds the end of stream (%d)\n",
+ off2, stream->size - idx->data_offset + 1 ));
+ off2 = stream->size - idx->data_offset + 1;
+ }
+
/* access element */
if ( off1 && off2 > off1 )
{