shithub: freetype+ttf2subf

Download patch

ref: f29f741efbba0a5ce2f16464f648fb8d026ed4c8
parent: 0ae6cf214ff1eec6499c347726a18b8a9809ab2c
author: suzuki toshiya <[email protected]>
date: Thu Jul 1 13:31:03 EDT 2010 

Additional fix for Savannah bug #30248 and #30249.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
size during gathering PFB fragments embedded in LaserWriter PS
font for Macintosh. Reported by Robert Swiecki.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-07-01  suzuki toshiya  <[email protected]>
+
+	Additional fix for Savannah bug #30248 and #30249.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
+	size during gathering PFB fragments embedded in LaserWriter PS
+	font for Macintosh. Reported by Robert Swiecki.
+
 2010-06-30  Alexei Podtelezhnikov  <[email protected]>
 
 	Minor optimizations by avoiding divisions.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1552,6 +1552,8 @@
         len += rlen;
       else
       {
+        if ( pfb_lenpos + 3 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
         pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
         pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1560,6 +1562,8 @@
         if ( ( flags >> 8 ) == 5 )      /* End of font mark */
           break;
 
+        if ( pfb_pos + 6 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_pos++] = 0x80;
 
         type = flags >> 8;
@@ -1579,9 +1583,13 @@
       pfb_pos += rlen;
     }
 
+    if ( pfb_pos + 2 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_pos++] = 0x80;
     pfb_data[pfb_pos++] = 3;
 
+    if ( pfb_lenpos + 3 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
     pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
     pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );