shithub: freetype+ttf2subf

git/fs: mount .git/fs: mount/attach disallowed

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,5 +1,25 @@

 2011-09-11  Tomas Hoger  <[email protected]>

+	Add explicit LZW decompression stack size limit.

+	Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is

+	constructed correctly.  It's even less than that, see e.g.

+	libarchive code comment for a better size upper bound:

+	  http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121

+	This patch adds explicit stack size limit, enforced when stack is

+	realloced.

+	An alternative is to ensure that code < state->prefix[code - 256]

+	when traversing prefix table.  Such check is less efficient and

+	should not be required if prefix table is constructed correctly in

+	the first place.

+	* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.

+2011-09-11  Tomas Hoger  <[email protected]>

 	Protect against loops in the prefix table.

 	LZW decompressor did not sufficiently check codes read from the

--- a/src/lzw/ftzopen.c

+++ b/src/lzw/ftzopen.c

@@ -124,6 +124,15 @@

         old_size     = 0;

+      /* requirement of the character stack larger than 1<<LZW_MAX_BITS */

+      /* implies bug in the decompression code                          */

+      if ( new_size > ( 1 << LZW_MAX_BITS ) )

+      {

+        new_size = 1 << LZW_MAX_BITS;

+        if ( new_size == old_size )

+          return -1;

+      }

       if ( FT_RENEW_ARRAY( state->stack, old_size, new_size ) )

         return -1;