Commit ba8a528b1963a6803a4176db7a1dd545ff289bdb

Bungeman 2015-10-19T23:27:06

[cid] Better handle invalid glyph stream offsets (#46221). * src/cid/cidgload.c (cid_load_glyph): Check minimum size of glyph length.

diff --git a/ChangeLog b/ChangeLog
index 0073d65..19c2a8d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-18  Bungeman  <bungeman@gmail.com>
+
+	[cid] Better handle invalid glyph stream offsets (#46221).
+
+	* src/cid/cidgload.c (cid_load_glyph): Check minimum size of glyph
+	length.
+
 2015-10-18  Werner Lemberg  <wl@gnu.org>
 
 	[psaux] Fix tracing of negative numbers.
diff --git a/src/cid/cidgload.c b/src/cid/cidgload.c
index 1fbf23d..d402f8e 100644
--- a/src/cid/cidgload.c
+++ b/src/cid/cidgload.c
@@ -157,6 +157,12 @@
 
       /* Adjustment for seed bytes. */
       cs_offset = decoder->lenIV >= 0 ? (FT_UInt)decoder->lenIV : 0;
+      if ( cs_offset > glyph_length )
+      {
+        FT_TRACE0(( "cid_load_glyph: invalid glyph stream offsets\n" ));
+        error = FT_THROW( Invalid_Offset );
+        goto Exit;
+      }
 
       /* Decrypt only if lenIV >= 0. */
       if ( decoder->lenIV >= 0 )