kc3-lang/freetype

Browse

Commit beecf80a6deecbaf5d264d4f864451bde4fe98b8

Werner Lemberg 2016-12-16T08:52:03

[cff] Fix heap buffer overflow (#49858). * src/cff/cffparse.c (cff_parser_run): Add one more stack size check. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

diff --git a/ChangeLog b/ChangeLog
index 77899d4..1243bd4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-16  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix heap buffer overflow (#49858).
+
+	* src/cff/cffparse.c (cff_parser_run): Add one more stack size
+	check.
+
 2016-12-15  Werner Lemberg  <wl@gnu.org>
 
 	Fix clang warnings.
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index 022c289..9b5ad72 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -1422,13 +1422,17 @@
         /* and look for it in our current list.                            */
 
         FT_UInt                   code;
-        FT_UInt                   num_args = (FT_UInt)
-                                             ( parser->top - parser->stack );
+        FT_UInt                   num_args;
         const CFF_Field_Handler*  field;
 
 
+        if ( (FT_UInt)( parser->top - parser->stack ) >= parser->stackSize )
+          goto Stack_Overflow;
+
+        num_args     = (FT_UInt)( parser->top - parser->stack );
         *parser->top = p;
-        code = v;
+        code         = v;
+
         if ( v == 12 )
         {
           /* two byte operator */
kmx.io     mail     discord kmxgit v0.4.0