ref: f46add13895337ece929b18bb8f036431b3fb538
parent: 602040b1112c9f94d68e200be59ea7ac3d104565
author: Werner Lemberg <[email protected]>
date: Wed Nov 12 16:06:08 EST 2014
[sfnt] Fix Savannah bug #43589. * src/sfnt/sfobjs.c (woff_open_font): Protect against addition overflow.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-12 Werner Lemberg <[email protected]>
+ [sfnt] Fix Savannah bug #43589.
+
+ * src/sfnt/sfobjs.c (woff_open_font): Protect against addition
+ overflow.
+
+2014-11-12 Werner Lemberg <[email protected]>
+
[sfnt] Fix Savannah bug #43588.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -567,8 +567,10 @@
if ( table->Offset != woff_offset ||
- table->Offset + table->CompLength > woff.length ||
- sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+ table->CompLength > woff.length ||
+ table->Offset > woff.length - table->CompLength ||
+ table->OrigLength > woff.totalSfntSize ||
+ sfnt_offset > woff.totalSfntSize - table->OrigLength ||
table->CompLength > table->OrigLength )
{error = FT_THROW( Invalid_Table );