* src/pfr/pfrload.c (pfr_log_font_count): Better font size estimate.
diff --git a/ChangeLog b/ChangeLog
index 520564a..b1cbd69 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
2016-03-30 Werner Lemberg <wl@gnu.org>
+ * src/pfr/pfrload.c (pfr_log_font_count): Better font size estimate.
+
+2016-03-30 Werner Lemberg <wl@gnu.org>
+
* src/pfr/pfrload.c (pfr_aux_name_load): Fix memory leak (#47567).
2016-03-29 Werner Lemberg <wl@gnu.org>
diff --git a/src/pfr/pfrload.c b/src/pfr/pfrload.c
index 8592045..989dd05 100644
--- a/src/pfr/pfrload.c
+++ b/src/pfr/pfrload.c
@@ -299,9 +299,15 @@
FT_READ_USHORT( count ) )
goto Exit;
- /* check maximum value and a rough minimum size */
+ /* check maximum value and a rough minimum size: */
+ /* - no more than 13106 log fonts */
+ /* - we need 5 bytes for a log header record */
+ /* - we need at least 18 bytes for a log font record */
+ /* - the overall size is at least 95 bytes plus the */
+ /* log header and log font records */
if ( count > ( ( 1 << 16 ) - 2 ) / 5 ||
- 2 + count * 5 >= stream->size - section_offset )
+ 2 + count * 5 >= stream->size - section_offset ||
+ 95 + count * ( 5 + 18 ) >= stream->size )
{
FT_ERROR(( "pfr_log_font_count:"
" invalid number of logical fonts\n" ));