kc3-lang/freetype

Browse

Commit 812ed3418969a013fce68c3884f7f8fc23c6b4bf

Werner Lemberg 2014-12-11T14:07:29

* src/type42/t42parse.c (t42_parse_sfnts): Reject invalid TTF size. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

diff --git a/ChangeLog b/ChangeLog
index bbc0422..67b9e5a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2014-12-11  Werner Lemberg  <wl@gnu.org>
 
+	* src/type42/t42parse.c (t42_parse_sfnts): Reject invalid TTF size.
+
+2014-12-11  Werner Lemberg  <wl@gnu.org>
+
 	* src/base/ftobjs.c (FT_Get_Glyph_Name): Fix off-by-one check.
 
 	Problem reported by Dennis Felsing <dennis@felsin9.de>.
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index bdecba9..5070853 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -667,6 +667,13 @@
             status         = BEFORE_TABLE_DIR;
             face->ttf_size = 12 + 16 * num_tables;
 
+            if ( (FT_ULong)( limit - parser->root.cursor ) < face->ttf_size )
+            {
+              FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" ));
+              error = FT_THROW( Invalid_File_Format );
+              goto Fail;
+            }
+
             if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
               goto Fail;
           }
kmx.io     mail     discord kmxgit v0.4.0