Commit c46b1e2476cc1804c0dd25d463be3c99d58befd7
2011-07-08T13:46:42
[psaux] Add better argument check for `callothersubr'. * src/psaux/t1decode.c (t1_decoder_parse_charstrings) <op_callothersubr>: Reject negative arguments.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
diff --git a/ChangeLog b/ChangeLog
index 25fb10c..c58d6bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-07-08 Werner Lemberg <wl@gnu.org>
+
+ [psaux] Add better argument check for `callothersubr'.
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+ <op_callothersubr>: Reject negative arguments.
+
2011-07-07 Werner Lemberg <wl@gnu.org>
[sfnt] Try harder to find non-zero values for ascender and descender.
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index ea31c51..a60ec38 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -4,8 +4,7 @@
/* */
/* PostScript Type 1 decoding routines (body). */
/* */
-/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 */
-/* 2010 by */
+/* Copyright 2000-2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -687,6 +686,9 @@
subr_no = (FT_Int)( top[1] >> 16 );
arg_cnt = (FT_Int)( top[0] >> 16 );
+ if ( arg_cnt < 0 || subr_no < 0 )
+ goto Unexpected_OtherSubr;
+
/***********************************************************/
/* */
/* remove all operands to callothersubr from the stack */