Fix Savannah bug #43547. * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
diff --git a/ChangeLog b/ChangeLog
index fe16048..9b56e91 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-06 Werner Lemberg <wl@gnu.org>
+ Fix Savannah bug #43547.
+
+ * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+ values.
+
+2014-11-06 Werner Lemberg <wl@gnu.org>
+
* src/pcf/pcfread.c (pcf_read_TOC): Avoid memory leak.
2014-11-03 Infinality <infinality@infinality.net>
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index f63377b..8db31bd 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -154,6 +154,21 @@ THE SOFTWARE.
break;
}
+ /* we now check whether the `size' and `offset' values are reasonable: */
+ /* `offset' + `size' must not exceed the stream size */
+ tables = face->toc.tables;
+ for ( n = 0; n < toc->count; n++ )
+ {
+ /* we need two checks to avoid overflow */
+ if ( ( tables->size > stream->size ) ||
+ ( tables->offset > stream->size - tables->size ) )
+ {
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+ }
+ tables++;
+ }
+
#ifdef FT_DEBUG_LEVEL_TRACE
{