[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 06c2d33: [type42] Protect against invalid number of g
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 06c2d33: [type42] Protect against invalid number of glyphs (#46159). |
|
Date: |
Thu, 08 Oct 2015 19:32:52 +0000 |
branch: master
commit 06c2d3324e8a8dbe153d51129adadd8d8eb4f834
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[type42] Protect against invalid number of glyphs (#46159).
* src/type42/t42parse.c (t42_parse_charstrings): Check number of
`CharStrings' dictionary entries against size of data stream.
---
ChangeLog | 7 +++++++
src/type42/t42parse.c | 11 +++++++++++
2 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 066136a..f4e30c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-10-08 Werner Lemberg <address@hidden>
+ [type42] Protect against invalid number of glyphs (#46159).
+
+ * src/type42/t42parse.c (t42_parse_charstrings): Check number of
+ `CharStrings' dictionary entries against size of data stream.
+
+2015-10-08 Werner Lemberg <address@hidden>
+
[sfnt] Fix some signed overflows (#46149).
* src/sfnt/ttsbit.c (tt_face_load_strike_metrics)
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 003b63e..a32d496 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -795,6 +795,17 @@
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
+
+ /* we certainly need more than 4 bytes per glyph */
+ if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 )
+ {
+ FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs"
+ " (from %d to %d)\n",
+ loader->num_glyphs,
+ ( limit - parser->root.cursor ) >> 2 ));
+ loader->num_glyphs = ( limit - parser->root.cursor ) >> 2;
+ }
+
}
else if ( *parser->root.cursor == '<' )
{
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 06c2d33: [type42] Protect against invalid number of glyphs (#46159).,
Werner LEMBERG <=