ref: 81f3472c0ba7b8f6466e2e214fa8c1c17fade975
parent: 223cb1b57c1c89fbaf76772af11f1b06490bde3c
author: suzuki toshiya <[email protected]>
date: Fri Aug 6 10:11:54 EDT 2010
Fix Savannah bug #30658. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total length of collected POST segments does not overrun the allocated buffer.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-08-06 suzuki toshiya <[email protected]>
+
+ Fix Savannah bug #30658.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total
+ length of collected POST segments does not overrun the allocated
+ buffer.
+
2010-08-06 Yuriy Kaminskiy <[email protected]>
Fix conditional usage of FT_MulFix_i386.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1574,6 +1574,7 @@
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
i, offsets[i], rlen, flags ));
+ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
continue;
@@ -1612,6 +1613,10 @@
pfb_data[pfb_pos++] = 0;
pfb_data[pfb_pos++] = 0;
}
+
+ error = FT_Err_Cannot_Open_Resource;
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
if ( error )