ref: e3058617f384cb6709f3878f753fa17aca9e3a30
parent: e40e8b33a1e925c7f9db57bedac4014f57481232
author: Werner Lemberg <[email protected]>
date: Sun Sep 13 04:41:43 EDT 2015
[type1] Fix potential buffer overflow (#45923). * src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't point to end of file buffer.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-09-13 Werner Lemberg <[email protected]>
+ [type1] Fix potential buffer overflow (#45923).
+
+ * src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
+ point to end of file buffer.
+
+2015-09-13 Werner Lemberg <[email protected]>
+
[gzip] Fix access of small compressed files (#45937).
* src/gzip/ftgzip.c (ft_gzip_stream_close): Avoid memory leak.
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -389,6 +389,15 @@
cur = limit;
limit = parser->base_dict + parser->base_len;
+
+ if ( cur >= limit )
+ {+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " premature end in private dictionary\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
goto Again;
/* now determine where to write the _encrypted_ binary private */