ref: f4bc3f40b37ebdd162be3f96793bbb0e6851b6bb
parent: 6e2f9d5db79bfd0336c652f64a1d17c8234022e8
author: Werner Lemberg <[email protected]>
date: Tue Jun 5 03:32:15 EDT 2007
* src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
* src/pfr/pfrtypes.h (PFR_GlyphRec): Comment out unused code.
+
+ * src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
+
2007-06-04 Werner Lemberg <[email protected]>
* src/cid/cidgload.c (cid_load_glyph): Check `fd_select'.
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -536,11 +536,17 @@
root->num_glyphs = font->header.last_char -
font->header.first_char + 1 + 1;
+ if ( font->header.face_name_offset >= font->header.file_size )
+ {+ FT_TRACE2(( "invalid family name offset!\n" ));
+ error = FNT_Err_Invalid_File_Format;
+ goto Fail;
+ }
+ family_size = font->header.file_size - font->header.face_name_offset;
/* Some broken fonts don't delimit the face name with a final */
/* NULL byte -- the frame is erroneously one byte too small. */
/* We thus allocate one more byte, setting it explicitly to */
/* zero. */
- family_size = font->header.file_size - font->header.face_name_offset;
if ( FT_ALLOC( font->family_name, family_size + 1 ) )
goto Fail;