Initial fix for Savannah bug #30306. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' the length of fragment declared in the POST fragment header and prevent an underflow in length calculation. Some fonts set the length to zero in spite of the exist of following 16bit `type'. Reported by Robert Swiecki.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
diff --git a/ChangeLog b/ChangeLog
index de3c507..af91e00 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
2010-07-01 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+ Initial fix for Savannah bug #30306.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
+ the length of fragment declared in the POST fragment header
+ and prevent an underflow in length calculation. Some fonts
+ set the length to zero in spite of the exist of following
+ 16bit `type'. Reported by Robert Swiecki.
+
+2010-07-01 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
Additional fix for Savannah bug #30248 and #30249.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 9217b87..7c2662f 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1547,7 +1547,16 @@
goto Exit;
if ( FT_READ_USHORT( flags ) )
goto Exit;
- rlen -= 2; /* the flags are part of the resource */
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
+ /* the flags are part of the resource, so rlen >= 2. */
+ /* but some fonts declare rlen = 0 for empty fragment */
+ if ( rlen > 2 )
+ rlen -= 2;
+ else
+ rlen = 0;
+
if ( ( flags >> 8 ) == type )
len += rlen;
else