* src/cid/cidload.c (cid_face_open): Streamline CIDCount check.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index 75f3d4c..1f3f6d7 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -776,7 +776,6 @@
CID_FaceInfo cid = &face->cid;
FT_ULong binary_length;
- FT_ULong entry_len;
cid_init_loader( &loader, face );
@@ -853,7 +852,24 @@
}
binary_length = face->cid_stream->size - cid->data_offset;
- entry_len = cid->fd_bytes + cid->gd_bytes;
+
+ if ( cid->cidmap_offset > binary_length )
+ {
+ FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
+ /* the initial pre-check prevents the multiplication overflow */
+ if ( cid->cid_count > FT_ULONG_MAX / 8 ||
+ cid->cid_count * ( cid->fd_bytes + cid->gd_bytes ) >
+ binary_length - cid->cidmap_offset )
+ {
+ FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
for ( n = 0; n < cid->num_dicts; n++ )
{
@@ -902,8 +918,8 @@
goto Exit;
}
- /* The first condition prevents the multiplication overflow */
- if ( dict->num_subrs > UINT_MAX / 4 ||
+ /* the initial pre-check prevents the multiplication overflow */
+ if ( dict->num_subrs > FT_UINT_MAX / 4 ||
dict->num_subrs * dict->sd_bytes >
binary_length - dict->subrmap_offset )
{
@@ -913,22 +929,6 @@
}
}
- if ( cid->cidmap_offset > binary_length )
- {
- FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
- error = FT_THROW( Invalid_File_Format );
- goto Exit;
- }
-
- if ( entry_len &&
- cid->cid_count >
- ( binary_length - cid->cidmap_offset ) / entry_len )
- {
- FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
- error = FT_THROW( Invalid_File_Format );
- goto Exit;
- }
-
/* we can now safely proceed */
error = cid_read_subrs( face );