ref: f0292bb9920aa1dbfed5f53861e7c7a89b35833a
parent: eca0f067068020870a429fe91f6329e499390d55
author: Werner Lemberg <[email protected]>
date: Mon Nov 24 05:51:21 EST 2014
[sfnt] Fix Savannah bug #43680. This adds an additional constraint to make the fix from 2013-01-25 really work. * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: Check `p' before `num_glyphs'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
2014-11-24 Werner Lemberg <[email protected]>
+ [sfnt] Fix Savannah bug #43680.
+
+ This adds an additional constraint to make the fix from 2013-01-25
+ really work.
+
+ * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
+ Check `p' before `num_glyphs'.
+
+2014-11-24 Werner Lemberg <[email protected]>
+
[truetype] Fix Savannah bug #43679.
* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -1170,7 +1170,8 @@
num_glyphs = FT_NEXT_ULONG( p );
/* overflow check for p + ( num_glyphs + 1 ) * 4 */
- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+ if ( p + 4 > p_limit ||
+ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
goto NoBitmap;
for ( mm = 0; mm < num_glyphs; mm++ )