Commit d9577add645c8c05460c7d60ad486c021394b82e
2012-02-26T08:03:57
[type1] Fix Savannah bug #35608. * src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short dictionaries.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
diff --git a/ChangeLog b/ChangeLog
index f305ef6..270389b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2012-02-26 Werner Lemberg <wl@gnu.org>
+ [type1] Fix Savannah bug #35608.
+
+ * src/type1/t1parse.c (T1_Get_Private_Dict): Reject too short
+ dictionaries.
+
+2012-02-26 Werner Lemberg <wl@gnu.org>
+
[bdf] Support `ENCODING -1 <n>' format.
* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Implement it.
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index d7b2ca5..4955279 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -4,7 +4,7 @@
/* */
/* Type 1 parser (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
+/* Copyright 1996-2005, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -467,6 +467,14 @@
/* we now decrypt the encoded binary private dictionary */
psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+ if ( parser->private_len < 4 )
+ {
+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " invalid private dictionary section\n" ));
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* replace the four random bytes at the beginning with whitespace */
parser->private_dict[0] = ' ';
parser->private_dict[1] = ' ';