[cff] Next try to fix `hintmask' and `cntrmask' limit check. Problem reported by malc <av1474@comtv.ru>. * src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_hintmask>: It is possible that there is just a single byte after the `hintmask' or `cntrmask', e.g., a `return' instruction.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
diff --git a/ChangeLog b/ChangeLog
index 888788f..42c0698 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2010-07-05 Werner Lemberg <wl@gnu.org>
+
+ [cff] Next try to fix `hintmask' and `cntrmask' limit check.
+
+ Problem reported by malc <av1474@comtv.ru>.
+
+ * src/cff/cffgload.c (cff_decoder_parse_charstrings)
+ <cff_op_hintmask>: It is possible that there is just a single byte
+ after the `hintmask' or `cntrmask', e.g., a `return' instruction.
+
2010-07-04 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Restrict the number of the charmaps in a rogue-compatible mode.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index f81b2f4..4a5f8f0 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -1339,12 +1339,12 @@
decoder->num_hints += num_args / 2;
}
- /* In a valid charstring there must be at least three bytes */
- /* after `hintmask' or `cntrmask' (two for a `moveto' */
- /* operator and one for `endchar'). Additionally, there */
- /* must be space for `num_hints' bits. */
+ /* In a valid charstring there must be at least one byte */
+ /* after `hintmask' or `cntrmask' (e.g., for a `return' */
+ /* instruction). Additionally, there must be space for */
+ /* `num_hints' bits. */
- if ( ( ip + 3 + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit )
+ if ( ( ip + 1 + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit )
goto Syntax_Error;
if ( hinter )