ref: e23ba91af7ed886073a581fc3f2d243994ed085e
parent: c69891a1345640096fbf396e8dd567fe879ce233
author: Werner Lemberg <[email protected]>
date: Fri Jun 25 17:55:14 EDT 2010
Fix Savannah bug #30254. * src/cff/cffload.c (cff_index_get_pointers): Do sanity check for first offset also.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-06-25 Werner Lemberg <[email protected]>
+
+ Fix Savannah bug #30254.
+
+ * src/cff/cffload.c (cff_index_get_pointers): Do sanity check for
+ first offset also.
+
2010-06-25 suzuki toshiya <[email protected]>
Initial fix for Savannah bug #30248 and #30249.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -413,6 +413,15 @@
/* at this point, `idx->offsets' can't be NULL */
cur_offset = idx->offsets[0] - 1;
+ /* sanity check */
+ if ( cur_offset >= idx->data_size )
+ {
+ FT_TRACE0(( "cff_index_get_pointers:"
+ " invalid first offset value %d set to zero\n",
+ cur_offset ));
+ cur_offset = 0;
+ }
+
if ( !pool )
t[0] = org_bytes + cur_offset;
else