Commit 06c2d3324e8a8dbe153d51129adadd8d8eb4f834
2015-10-08T21:31:57
[type42] Protect against invalid number of glyphs (#46159). * src/type42/t42parse.c (t42_parse_charstrings): Check number of `CharStrings' dictionary entries against size of data stream.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
diff --git a/ChangeLog b/ChangeLog
index 066136a..f4e30c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-10-08 Werner Lemberg <wl@gnu.org>
+ [type42] Protect against invalid number of glyphs (#46159).
+
+ * src/type42/t42parse.c (t42_parse_charstrings): Check number of
+ `CharStrings' dictionary entries against size of data stream.
+
+2015-10-08 Werner Lemberg <wl@gnu.org>
+
[sfnt] Fix some signed overflows (#46149).
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics)
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 003b63e..a32d496 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -795,6 +795,17 @@
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
+
+ /* we certainly need more than 4 bytes per glyph */
+ if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 )
+ {
+ FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs"
+ " (from %d to %d)\n",
+ loader->num_glyphs,
+ ( limit - parser->root.cursor ) >> 2 ));
+ loader->num_glyphs = ( limit - parser->root.cursor ) >> 2;
+ }
+
}
else if ( *parser->root.cursor == '<' )
{