Commit 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415
2014-11-26T15:52:23
Fix Savannah bug #43539. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
diff --git a/ChangeLog b/ChangeLog
index 5ba75b6..8a246e8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-26 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+ Fix Savannah bug #43539.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+ by a broken POST table in resource-fork.
+
+2014-11-26 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
Fix Savannah bug #43538.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index ffbbc32..922216e 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1617,6 +1617,11 @@
goto Exit2;
if ( FT_READ_LONG( rlen ) )
goto Exit2;
+ if ( rlen < 0 )
+ {
+ error = FT_THROW( Invalid_Offset );
+ goto Exit2;
+ }
if ( FT_READ_USHORT( flags ) )
goto Exit2;
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
@@ -1634,7 +1639,14 @@
rlen = 0;
if ( ( flags >> 8 ) == type )
+ {
+ if ( 0x7FFFFFFFL - rlen < len )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto Exit2;
+ }
len += rlen;
+ }
else
{
if ( pfb_lenpos + 3 > pfb_len + 2 )
@@ -1663,6 +1675,11 @@
}
error = FT_ERR( Cannot_Open_Resource );
+ if ( rlen > 0x7FFFFFFFL - pfb_pos )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto Exit2;
+ }
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
goto Exit2;