ref: ba03af6f91321ab7688f7368730d9fa650fd6c27
parent: 99e0c18ea19ec74c23958064b326a4d7a2129aaf
author: Werner Lemberg <[email protected]>
date: Wed May 30 09:57:02 EDT 2007
* src/type1/t1load.c (parse_subrs, parse_charstrings): Protect against too small binary data strings. * src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2007-05-30 Werner Lemberg <[email protected]>
+
+ * src/type1/t1load.c (parse_subrs, parse_charstrings): Protect
+ against too small binary data strings.
+
+ * src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better.
+
2007-05-28 David Turner <[email protected]>
* src/cff/cffgload.c (cff_slot_load): Do not apply the identity
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1537,6 +1537,12 @@
s = _bdf_list_join( &p->list, ' ', &slen );
+ if ( !s )
+ {+ error = BDF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
if ( FT_NEW_ARRAY( p->glyph_name, slen + 1 ) )
goto Exit;
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1379,6 +1379,12 @@
FT_Byte* temp;
+ if ( size <= face->type1.private_dict.lenIV )
+ {+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* t1_decrypt() shouldn't write to base -- make temporary copy */
if ( FT_ALLOC( temp, size ) )
goto Fail;
@@ -1548,11 +1554,17 @@
notdef_found = 1;
}
- if ( face->type1.private_dict.lenIV >= 0 &&
- n < num_glyphs + TABLE_EXTEND )
+ if ( face->type1.private_dict.lenIV >= 0 &&
+ n < num_glyphs + TABLE_EXTEND )
{FT_Byte* temp;
+
+ if ( size <= face->type1.private_dict.lenIV )
+ {+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
/* t1_decrypt() shouldn't write to base -- make temporary copy */
if ( FT_ALLOC( temp, size ) )