ref: beecf80a6deecbaf5d264d4f864451bde4fe98b8
parent: 01658be6fbda2ff17616158ae5df5dc240a4347c
author: Werner Lemberg <[email protected]>
date: Fri Dec 16 03:52:03 EST 2016
[cff] Fix heap buffer overflow (#49858). * src/cff/cffparse.c (cff_parser_run): Add one more stack size check.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-16 Werner Lemberg <[email protected]>
+
+ [cff] Fix heap buffer overflow (#49858).
+
+ * src/cff/cffparse.c (cff_parser_run): Add one more stack size
+ check.
+
2016-12-15 Werner Lemberg <[email protected]>
Fix clang warnings.
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -1422,13 +1422,17 @@
/* and look for it in our current list. */
FT_UInt code;
- FT_UInt num_args = (FT_UInt)
- ( parser->top - parser->stack );
+ FT_UInt num_args;
const CFF_Field_Handler* field;
+ if ( (FT_UInt)( parser->top - parser->stack ) >= parser->stackSize )
+ goto Stack_Overflow;
+
+ num_args = (FT_UInt)( parser->top - parser->stack );
*parser->top = p;
- code = v;
+ code = v;
+
if ( v == 12 )
{/* two byte operator */