Commit 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891
2014-11-12T21:26:44
[sfnt] Fix Savannah bug #43590. * src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): Protect against addition overflow.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
diff --git a/ChangeLog b/ChangeLog
index 417af86..b42b929 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-12 Werner Lemberg <wl@gnu.org>
+ [sfnt] Fix Savannah bug #43590.
+
+ * src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
+ Protect against addition overflow.
+
+2014-11-12 Werner Lemberg <wl@gnu.org>
+
[sfnt] Fix Savannah bug #43589.
* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 0a3cd29..8338150 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -5,7 +5,7 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
-/* Copyright 1996-2010, 2012, 2013 by */
+/* Copyright 1996-2010, 2012-2014 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -207,7 +207,10 @@
}
/* we ignore invalid tables */
- if ( table.Offset + table.Length > stream->size )
+
+ /* table.Offset + table.Length > stream->size ? */
+ if ( table.Length > stream->size ||
+ table.Offset > stream->size - table.Length )
{
FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
continue;
@@ -395,7 +398,10 @@
entry->Length = FT_GET_ULONG();
/* ignore invalid tables */
- if ( entry->Offset + entry->Length > stream->size )
+
+ /* entry->Offset + entry->Length > stream->size ? */
+ if ( entry->Length > stream->size ||
+ entry->Offset > stream->size - entry->Length )
continue;
else
{