[lzw] Avoid buffer overrun. Reported as https://bugzilla.mozilla.org/show_bug.cgi?id=1273283 * src/lzw/ftzopen.c (ft_lzwstate_refill): Ensure `buf_size' doesn't underflow.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
diff --git a/ChangeLog b/ChangeLog
index 3cf0002..da002ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2016-08-16 Werner Lemberg <wl@gnu.org>
+ [lzw] Avoid buffer overrun.
+
+ Reported as
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1273283
+
+ * src/lzw/ftzopen.c (ft_lzwstate_refill): Ensure `buf_size' doesn't
+ underflow.
+
+2016-08-16 Werner Lemberg <wl@gnu.org>
+
[truetype] Fix compiler warning.
* src/truetype/ttgload.c (load_truetype_glyph): Add cast.
diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
index e17b3c5..32839cc 100644
--- a/src/lzw/ftzopen.c
+++ b/src/lzw/ftzopen.c
@@ -42,7 +42,12 @@
state->buf_total += count;
state->in_eof = FT_BOOL( count < state->num_bits );
state->buf_offset = 0;
- state->buf_size = ( state->buf_size << 3 ) - ( state->num_bits - 1 );
+
+ state->buf_size <<= 3;
+ if ( state->buf_size > state->num_bits )
+ state->buf_size -= state->num_bits - 1;
+ else
+ return -1; /* not enough data */
if ( count == 0 ) /* end of file */
return -1;