ref: f689bf7d9f1f03a7eaf93aea14c9929e031b176f
parent: 05012ad9c9a622a01aa65e16e7c6756ba3c7d50a
author: Werner Lemberg <[email protected]>
date: Thu Nov 18 05:28:16 EST 2010
[type1]: Improve guard against malformed data. Based on a patch submitted by Johnson Y. Yan <[email protected]> * src/type1/t1load.c (read_binary_data): Check `size'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-11-18 Werner Lemberg <[email protected]>
+
+ [type1]: Improve guard against malformed data.
+ Based on a patch submitted by Johnson Y. Yan
+ <[email protected]>
+
+ * src/type1/t1load.c (read_binary_data): Check `size'.
+
2010-11-17 Werner Lemberg <[email protected]>
[sfnt] While tracing, output table checksums also.
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -4,7 +4,8 @@
/* */
/* Type 1 font loader (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
+/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */
+/* 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -1045,8 +1046,9 @@
if ( cur < limit && ft_isdigit( *cur ) )
{- *size = T1_ToInt( parser );
+ FT_Long s = T1_ToInt( parser );
+
T1_Skip_PS_Token( parser ); /* `RD' or `-|' or something else */
/* there is only one whitespace char after the */
@@ -1053,8 +1055,12 @@
/* `RD' or `-|' token */
*base = parser->root.cursor + 1;
- parser->root.cursor += *size + 1;
- return !parser->root.error;
+ if ( s >= 0 && s < limit - *base )
+ {+ parser->root.cursor += s + 1;
+ *size = s;
+ return !parser->root.error;
+ }
}
FT_ERROR(( "read_binary_data: invalid size field\n" ));