Commit 73aa20ca1d86f6c838bd534cda741adc4cfa7aee
2010-09-20T01:30:38
[cff] Truncate the element length at the end of the stream. See Savannah bug #30975. * src/cff/cffload.c (cff_index_access_element): `off2', the offset to the next element is truncated at the end of the stream to prevent invalid I/O. As `off1', the offset to the requested element has been checked by FT_STREAM_SEEK(), `off2' should be checked similarly.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
diff --git a/ChangeLog b/ChangeLog
index 8544a41..e6d0602 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,15 @@
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+ [cff] Truncate the element length at the end of the stream.
+ See Savannah bug #30975.
+
+ * src/cff/cffload.c (cff_index_access_element): `off2', the
+ offset to the next element is truncated at the end of the
+ stream to prevent invalid I/O. As `off1', the offset to the
+ requested element has been checked by FT_STREAM_SEEK(),
+ `off2' should be checked similarly.
+
+2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[cff] Ignore CID > 0xFFFFU.
See Savannah bug #30975.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 8f29343..c0f2109 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -519,6 +519,17 @@
}
}
+ /* XXX: should check off2 does not exceed the end of this entry */
+ /* at present, only truncate off 2 at the end of this stream */
+ if ( idx->data_offset + off2 - 1 > stream->size )
+ {
+ FT_ERROR(( "cff_index_access_element:"
+ " offset to next entry (%d)"
+ " exceeds the end of stream (%d)\n",
+ off2, stream->size - idx->data_offset + 1 ));
+ off2 = stream->size - idx->data_offset + 1;
+ }
+
/* access element */
if ( off1 && off2 > off1 )
{