shithub: freetype+ttf2subf

Download patch

ref: c06da1ad34663da7b6fc39b030dc3ae185b96557
parent: d9b3e39484bbafbec3e42734c9b585e35485f2c1
author: Werner Lemberg <[email protected]>
date: Thu Aug 5 19:15:26 EDT 2010

Fix Savannah bug #30656.

* src/type42/t42parse.c (t42_parse_sfnts): Protect against negative
string_size.
Fix comparison.

git/fs: mount .git/fs: mount/attach disallowed
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-08-05  Werner Lemberg  <[email protected]>
+
+	Fix Savannah bug #30656.
+
+	* src/type42/t42parse.c (t42_parse_sfnts): Protect against negative
+	string_size.
+	Fix comparison.
+
 2010-08-05  suzuki toshiya  <[email protected]>
 
 	[cff] Don't use any values in decoder after parsing error.
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Type 42 font parser (body).                                          */
 /*                                                                         */
-/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by            */
+/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by      */
 /*  Roberto Alameda.                                                       */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -577,6 +577,12 @@
         }
 
         string_size = T1_ToInt( parser );
+        if ( string_size < 0 )
+        {
+          FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
+          error = T42_Err_Invalid_File_Format;
+          goto Fail;
+        }
 
         T1_Skip_PS_Token( parser );             /* `RD' */
         if ( parser->root.error )
@@ -584,13 +590,14 @@
 
         string_buf = parser->root.cursor + 1;   /* one space after `RD' */
 
-        parser->root.cursor += string_size + 1;
-        if ( parser->root.cursor >= limit )
+        if ( limit - parser->root.cursor < string_size )
         {
           FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
           error = T42_Err_Invalid_File_Format;
           goto Fail;
         }
+        else
+          parser->root.cursor += string_size + 1;
       }
 
       if ( !string_buf )