ref: d9577add645c8c05460c7d60ad486c021394b82e
parent: 03242f58c4bf7226276d8e4e7cb106045319e517
author: Werner Lemberg <[email protected]>
date: Sun Feb 26 03:03:57 EST 2012
[type1] Fix Savannah bug #35608. * src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short dictionaries.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2012-02-26 Werner Lemberg <[email protected]>
+ [type1] Fix Savannah bug #35608.
+
+ * src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short
+ dictionaries.
+
+2012-02-26 Werner Lemberg <[email protected]>
+
[bdf] Support `ENCODING -1 <n>' format.
* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Implement it.
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -4,7 +4,7 @@
/* */
/* Type 1 parser (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
+/* Copyright 1996-2005, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -466,6 +466,14 @@
/* we now decrypt the encoded binary private dictionary */
psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+
+ if ( parser->private_len < 4 )
+ {+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " invalid private dictionary section\n" ));
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
/* replace the four random bytes at the beginning with whitespace */
parser->private_dict[0] = ' ';