Commit f4bc3f40b37ebdd162be3f96793bbb0e6851b6bb
2007-06-05T07:32:15
* src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
diff --git a/ChangeLog b/ChangeLog
index 777248a..4e1e664 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
* src/pfr/pfrtypes.h (PFR_GlyphRec): Comment out unused code.
+
+ * src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
+
2007-06-04 Werner Lemberg <wl@gnu.org>
* src/cid/cidgload.c (cid_load_glyph): Check `fd_select'.
diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
index d0251cf..31ae545 100644
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -536,11 +536,17 @@
root->num_glyphs = font->header.last_char -
font->header.first_char + 1 + 1;
+ if ( font->header.face_name_offset >= font->header.file_size )
+ {
+ FT_TRACE2(( "invalid family name offset!\n" ));
+ error = FNT_Err_Invalid_File_Format;
+ goto Fail;
+ }
+ family_size = font->header.file_size - font->header.face_name_offset;
/* Some broken fonts don't delimit the face name with a final */
/* NULL byte -- the frame is erroneously one byte too small. */
/* We thus allocate one more byte, setting it explicitly to */
/* zero. */
- family_size = font->header.file_size - font->header.face_name_offset;
if ( FT_ALLOC( font->family_name, family_size + 1 ) )
goto Fail;