Commit 0e2f5d518c60e2978f26400d110eff178fa7e3c3

Werner Lemberg 2014-11-06T22:32:46

Fix Savannah bug #43547. * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values.

diff --git a/ChangeLog b/ChangeLog
index fe16048..9b56e91 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2014-11-06  Werner Lemberg  <wl@gnu.org>
 
+	Fix Savannah bug #43547.
+
+	* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+	values.
+
+2014-11-06  Werner Lemberg  <wl@gnu.org>
+
 	* src/pcf/pcfread.c (pcf_read_TOC): Avoid memory leak.
 
 2014-11-03  Infinality  <infinality@infinality.net>
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index f63377b..8db31bd 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -154,6 +154,21 @@ THE SOFTWARE.
         break;
     }
 
+    /* we now check whether the `size' and `offset' values are reasonable: */
+    /* `offset' + `size' must not exceed the stream size                   */
+    tables = face->toc.tables;
+    for ( n = 0; n < toc->count; n++ )
+    {
+      /* we need two checks to avoid overflow */
+      if ( ( tables->size   > stream->size                ) ||
+           ( tables->offset > stream->size - tables->size ) )
+      {
+        error = FT_THROW( Invalid_Table );
+        goto Exit;
+      }
+      tables++;
+    }
+
 #ifdef FT_DEBUG_LEVEL_TRACE
 
     {