Commit 2439c515a79fe05ebc9d1a91d94b21ff716524a7
2015-09-25T16:54:28
[type1] Protect against invalid number of glyphs (#46029). * src/type1/t1load.c (parse_charstrings): Check number of `CharStrings' dictionary entries against size of data stream.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
diff --git a/ChangeLog b/ChangeLog
index 1cc65ba..e54092d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-09-25 Werner Lemberg <wl@gnu.org>
+
+ [type1] Protect against invalid number of glyphs (#46029).
+
+ * src/type1/t1load.c (parse_charstrings): Check number of
+ `CharStrings' dictionary entries against size of data stream.
+
2015-09-23 Werner Lemberg <wl@gnu.org>
[sfnt] Better checks for invalid cmaps (2/2) (#46019).
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 479cb7a..dbf4eaf 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1541,7 +1541,7 @@
PSAux_Service psaux = (PSAux_Service)face->psaux;
- FT_Byte* cur;
+ FT_Byte* cur = parser->root.cursor;
FT_Byte* limit = parser->root.limit;
FT_Int n, num_glyphs;
FT_Int notdef_index = 0;
@@ -1555,6 +1555,15 @@
goto Fail;
}
+ /* we certainly need more than 8 bytes per glyph */
+ if ( num_glyphs > ( limit - cur ) >> 3 )
+ {
+ FT_TRACE0(( "parse_charstrings: adjusting number of glyphs"
+ " (from %d to %d)\n",
+ num_glyphs, ( limit - cur ) >> 3 ));
+ num_glyphs = ( limit - cur ) >> 3;
+ }
+
/* some fonts like Optima-Oblique not only define the /CharStrings */
/* array but access it also */
if ( num_glyphs == 0 || parser->root.error )