kc3-lang/freetype

Browse

Commit 121122416d36126d3ce46287e9617690722b83e9

Werner Lemberg 2015-10-08T08:55:15

[type1] Protect against invalid number of subroutines (#46150). * src/type1/t1load.c (parse_subrs): Check number of `Subrs' dictionary entries against size of data stream. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

diff --git a/ChangeLog b/ChangeLog
index 5286ee8..8fb955e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-08  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Protect against invalid number of subroutines (#46150).
+
+	* src/type1/t1load.c (parse_subrs): Check number of
+	`Subrs' dictionary entries against size of data stream.
+
 2015-10-07  Kostya Serebryany  <kcc@google.com>
 
 	[ftfuzzer] Add support for LLVM's LibFuzzer.
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index dbf4eaf..01fb60f 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1420,6 +1420,21 @@
     }
 
     num_subrs = (FT_Int)T1_ToInt( parser );
+    if ( num_subrs < 0 )
+    {
+      parser->root.error = FT_THROW( Invalid_File_Format );
+      return;
+    }
+
+    /* we certainly need more than 8 bytes per subroutine */
+    if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+    {
+      FT_TRACE0(( "parse_subrs: adjusting number of subroutines"
+                  " (from %d to %d)\n",
+                  num_subrs,
+                  ( parser->root.limit - parser->root.cursor ) >> 3 ));
+      num_subrs = ( parser->root.limit - parser->root.cursor ) >> 3;
+    }
 
     /* position the parser right before the `dup' of the first subr */
     T1_Skip_PS_Token( parser );         /* `array' */
kmx.io     mail     discord kmxgit v0.4.0