Commit f46add13895337ece929b18bb8f036431b3fb538

Werner Lemberg 2014-11-12T21:06:08

[sfnt] Fix Savannah bug #43589. * src/sfnt/sfobjs.c (woff_open_font): Protect against addition overflow.

diff --git a/ChangeLog b/ChangeLog
index 5db1130..417af86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2014-11-12  Werner Lemberg  <wl@gnu.org>
 
+	[sfnt] Fix Savannah bug #43589.
+
+	* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
+	overflow.
+
+2014-11-12  Werner Lemberg  <wl@gnu.org>
+
 	[sfnt] Fix Savannah bug #43588.
 
 	* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index cfea9cd..70b988d 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -567,8 +567,10 @@
 
 
       if ( table->Offset != woff_offset                         ||
-           table->Offset + table->CompLength > woff.length      ||
-           sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+           table->CompLength > woff.length                      ||
+           table->Offset > woff.length - table->CompLength      ||
+           table->OrigLength > woff.totalSfntSize               ||
+           sfnt_offset > woff.totalSfntSize - table->OrigLength ||
            table->CompLength > table->OrigLength                )
       {
         error = FT_THROW( Invalid_Table );