Commit 581c7e2a510ed09b1401af8d9b7ed5eb329a954b
2015-09-15T06:49:06
[type1, type42] Check encoding array size (#45961). * src/type1/t1load.c (parse_encoding), src/type42/t42parse.c (t42_parse_encoding): Do it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
diff --git a/ChangeLog b/ChangeLog
index cd4fe58..a69a1a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-09-15 Werner Lemberg <wl@gnu.org>
+
+ [type1, type42] Check encoding array size (#45961).
+
+ * src/type1/t1load.c (parse_encoding), src/type42/t42parse.c
+ (t42_parse_encoding): Do it.
+
2015-09-14 Alexei Podtelezhnikov <apodtele@gmail.com>
* src/base/ftcalc.c (FT_MulFix) [FT_LONG64]: Improve.
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 630f057..4d065f8 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1192,6 +1192,15 @@
else
count = (FT_Int)T1_ToInt( parser );
+ /* only composite fonts (which we don't support) */
+ /* can have larger values */
+ if ( count > 256 )
+ {
+ FT_ERROR(( "parse_encoding: invalid encoding array size\n" ));
+ parser->root.error = FT_THROW( Invalid_File_Format );
+ return;
+ }
+
T1_Skip_Spaces( parser );
if ( parser->root.cursor >= limit )
return;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index f7d5eb6..ae062da 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -332,6 +332,15 @@
else
count = (FT_Int)T1_ToInt( parser );
+ /* only composite fonts (which we don't support) */
+ /* can have larger values */
+ if ( count > 256 )
+ {
+ FT_ERROR(( "t42_parse_encoding: invalid encoding array size\n" ));
+ parser->root.error = FT_THROW( Invalid_File_Format );
+ return;
+ }
+
T1_Skip_Spaces( parser );
if ( parser->root.cursor >= limit )
return;