shithub: freetype+ttf2subf

Info  •  Files  •  Log  •  Branches

* src/type42/t42parse.c (t42_parse_sfnts): Reject invalid TTF size.

git/fs: mount .git/fs: mount/attach disallowed

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,5 +1,9 @@

 2014-12-11  Werner Lemberg  <[email protected]>

+	* src/type42/t42parse.c (t42_parse_sfnts): Reject invalid TTF size.

+

+2014-12-11  Werner Lemberg  <[email protected]>

+

 	* src/base/ftobjs.c (FT_Get_Glyph_Name): Fix off-by-one check.

 	Problem reported by Dennis Felsing <[email protected]>.

--- a/src/type42/t42parse.c

+++ b/src/type42/t42parse.c

@@ -667,6 +667,13 @@

             status         = BEFORE_TABLE_DIR;

             face->ttf_size = 12 + 16 * num_tables;

+            if ( (FT_ULong)( limit - parser->root.cursor ) < face->ttf_size )

+            {

+              FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" ));

+              error = FT_THROW( Invalid_File_Format );

+              goto Fail;

+            }

+

             if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )

               goto Fail;

           }