Commit 81f3472c0ba7b8f6466e2e214fa8c1c17fade975
2010-08-06T14:11:54
Fix Savannah bug #30658. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total length of collected POST segments does not overrun the allocated buffer.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
diff --git a/ChangeLog b/ChangeLog
index 5b665e3..73e558f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-08-06 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+ Fix Savannah bug #30658.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total
+ length of collected POST segments does not overrun the allocated
+ buffer.
+
2010-08-06 Yuriy Kaminskiy <yumkam@mail.ru>
Fix conditional usage of FT_MulFix_i386.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 9dce576..13c126f 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1574,6 +1574,7 @@
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
i, offsets[i], rlen, flags ));
+ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
continue;
@@ -1613,6 +1614,10 @@
pfb_data[pfb_pos++] = 0;
}
+ error = FT_Err_Cannot_Open_Resource;
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
+
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
if ( error )
goto Exit2;