Commit af7b8b1a9f33399fe686c3ba44ae8ae655bfe513
2011-03-20T07:51:57
* src/sfnt/sfobjs.c (sfnt_open_font): Check number of TTC subfonts.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
diff --git a/ChangeLog b/ChangeLog
index 8678ecb..0013059 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2011-03-20 Werner Lemberg <wl@gnu.org>
+
+ * src/sfnt/sfobjs.c (sfnt_open_font): Check number of TTC subfonts.
+
2011-03-19 Werner Lemberg <wl@gnu.org>
More C++ compilation fixes.
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index 5a1d003..e581af9 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -4,7 +4,7 @@
/* */
/* SFNT object management (base). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010 by */
+/* Copyright 1996-2008, 2010-2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -356,7 +356,7 @@
FT_FRAME_START( 8 ),
FT_FRAME_LONG( version ),
- FT_FRAME_LONG( count ),
+ FT_FRAME_LONG( count ), /* this is ULong in the specs */
FT_FRAME_END
};
@@ -390,6 +390,17 @@
if ( FT_STREAM_READ_FIELDS( ttc_header_fields, &face->ttc_header ) )
return error;
+ if ( face->ttc_header.count == 0 )
+ return SFNT_Err_Invalid_Table;
+
+ /* a rough size estimate: let's conservatively assume that there */
+ /* is just a single table info in each subfont header (12 + 16*1 = */
+ /* 28 bytes), thus we have (at least) `12 + 4*count' bytes for the */
+ /* size of the TTC header plus `28*count' bytes for all subfont */
+ /* headers */
+ if ( (FT_ULong)face->ttc_header.count > stream->size / ( 28 + 4 ) )
+ return SFNT_Err_Array_Too_Large;
+
/* now read the offsets of each font in the file */
if ( FT_NEW_ARRAY( face->ttc_header.offsets, face->ttc_header.count ) )
return error;
@@ -536,7 +547,7 @@
FT_UNUSED( face_index );
/* Check parameters */
-
+
{
FT_Int i;