ref: cd4a5a26e591d01494567df9dec7f72d59551f6e
parent: 1720e81e3ecc7c266e54fe40175cc39c47117bf5
author: suzuki toshiya <[email protected]>
date: Wed Nov 26 19:20:48 EST 2014
* src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check in the summation of POST fragment lengths, suggested by Mateusz Jurczyk <[email protected]>.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2014-11-26 suzuki toshiya <[email protected]>
+ * src/base/ftobj.c (Mac_Read_POST_Resource): Additional
+ overflow check in the summation of POST fragment lengths,
+ suggested by Mateusz Jurczyk <[email protected]>.
+
+2014-11-26 suzuki toshiya <[email protected]>
+
* src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments
and fold too long tracing messages.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1586,8 +1586,10 @@
*/
FT_TRACE4(( " POST fragment #%d: length=0x%08x\n",
i, temp));
- if ( 0x7FFFFFFFUL < temp )
+ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
{+ FT_TRACE2(( " too long fragment length makes"
+ " pfb_len confused: temp=0x%08x\n", temp ));
error = FT_THROW( Invalid_Offset );
goto Exit;
}
@@ -1600,8 +1602,7 @@
resource_cnt, pfb_len + 2));
if ( pfb_len + 2 < 6 ) {FT_TRACE2(( " too long fragment length makes"
- " pfb_len confused: 0x%08x\n",
- pfb_len ));
+ " pfb_len confused: pfb_len=0x%08x\n", pfb_len ));
error = FT_THROW( Array_Too_Large );
goto Exit;
}