shithub: freetype+ttf2subf

Download patch

ref: 946df2216565925223a9e6af4d708906a6262a7d
parent: 0313a11c4c2d1a6688facccffd18e0473dc6953e
author: Alexei Podtelezhnikov <[email protected]>
date: Thu Oct 7 18:44:53 EDT 2021

* src/cid/cidload.c (cid_face_open): Streamline SubrCount check.

git/fs: mount .git/fs: mount/attach disallowed
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -902,11 +902,10 @@
         goto Exit;
       }
 
-      /* `num_subrs' is scanned as a signed integer */
-      if ( (FT_Int)dict->num_subrs < 0                                     ||
-           ( dict->sd_bytes                                              &&
-             dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
-                                 dict->sd_bytes                          ) )
+      /* The first condition prevents the multiplication overflow */
+      if ( dict->num_subrs > UINT_MAX / 4         ||
+           dict->num_subrs * dict->sd_bytes >
+             binary_length - dict->subrmap_offset )
       {
         FT_ERROR(( "cid_face_open: Invalid `SubrCount' value\n" ));
         error = FT_THROW( Invalid_File_Format );