Fix Savannah bug #30656. * src/type42/t42parse.c (t42_parse_sfnts): Protect against negative string_size. Fix comparison.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
diff --git a/ChangeLog b/ChangeLog
index b042fc9..4235ffb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-08-05 Werner Lemberg <wl@gnu.org>
+
+ Fix Savannah bug #30656.
+
+ * src/type42/t42parse.c (t42_parse_sfnts): Protect against negative
+ string_size.
+ Fix comparison.
+
2010-08-05 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[cff] Don't use any values in decoder after parsing error.
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 4dc7203..5774269 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -4,7 +4,7 @@
/* */
/* Type 42 font parser (body). */
/* */
-/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
+/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
/* Roberto Alameda. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -577,6 +577,12 @@
}
string_size = T1_ToInt( parser );
+ if ( string_size < 0 )
+ {
+ FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
+ error = T42_Err_Invalid_File_Format;
+ goto Fail;
+ }
T1_Skip_PS_Token( parser ); /* `RD' */
if ( parser->root.error )
@@ -584,13 +590,14 @@
string_buf = parser->root.cursor + 1; /* one space after `RD' */
- parser->root.cursor += string_size + 1;
- if ( parser->root.cursor >= limit )
+ if ( limit - parser->root.cursor < string_size )
{
FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
error = T42_Err_Invalid_File_Format;
goto Fail;
}
+ else
+ parser->root.cursor += string_size + 1;
}
if ( !string_buf )