kc3-lang/freetype

Browse

Commit e3058617f384cb6709f3878f753fa17aca9e3a30

Werner Lemberg 2015-09-13T08:41:43

[type1] Fix potential buffer overflow (#45923). * src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't point to end of file buffer. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

diff --git a/ChangeLog b/ChangeLog
index 3618f24..47cfcf3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2015-09-13  Werner Lemberg  <wl@gnu.org>
 
+	[type1] Fix potential buffer overflow (#45923).
+
+	* src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
+	point to end of file buffer.
+
+2015-09-13  Werner Lemberg  <wl@gnu.org>
+
 	[gzip] Fix access of small compressed files (#45937).
 
 	* src/gzip/ftgzip.c (ft_gzip_stream_close): Avoid memory leak.
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index c73b2b2..d8d4df2 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -389,6 +389,15 @@
 
       cur   = limit;
       limit = parser->base_dict + parser->base_len;
+
+      if ( cur >= limit )
+      {
+        FT_ERROR(( "T1_Get_Private_Dict:"
+                   " premature end in private dictionary\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Exit;
+      }
+
       goto Again;
 
       /* now determine where to write the _encrypted_ binary private  */
kmx.io     mail     discord kmxgit v0.4.0