shithub: freetype+ttf2subf

Download patch

ref: aff6ebb9a6e9b8cfdf47dcb0fe1b36396241a052
parent: ccd771cdf673eb55e7e0461e89568af7b70fb640
author: Werner Lemberg <[email protected]>
date: Wed Mar 30 05:11:02 EDT 2016 

* src/pfr/pfrload.c (pfr_log_font_count): Better font size estimate.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2016-03-30  Werner Lemberg  <[email protected]>
 
+	* src/pfr/pfrload.c (pfr_log_font_count): Better font size estimate.
+
+2016-03-30  Werner Lemberg  <[email protected]>
+
 	* src/pfr/pfrload.c (pfr_aux_name_load): Fix memory leak (#47567).
 
 2016-03-29  Werner Lemberg  <[email protected]>
--- a/src/pfr/pfrload.c
+++ b/src/pfr/pfrload.c
@@ -299,9 +299,15 @@
          FT_READ_USHORT( count )          )
       goto Exit;
 
-    /* check maximum value and a rough minimum size */
+    /* check maximum value and a rough minimum size:     */
+    /* - no more than 13106 log fonts                    */
+    /* - we need 5 bytes for a log header record         */
+    /* - we need at least 18 bytes for a log font record */
+    /* - the overall size is at least 95 bytes plus the  */
+    /*   log header and log font records                 */
     if ( count > ( ( 1 << 16 ) - 2 ) / 5                ||
-         2 + count * 5 >= stream->size - section_offset )
+         2 + count * 5 >= stream->size - section_offset ||
+         95 + count * ( 5 + 18 ) >= stream->size        )
     {
       FT_ERROR(( "pfr_log_font_count:"
                  " invalid number of logical fonts\n" ));