[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 5614090: * src/type1/t1load.c (parse_subrs): Fix limi
From: |
Werner LEMBERG |
Subject: |
[freetype2] master 5614090: * src/type1/t1load.c (parse_subrs): Fix limit check. |
Date: |
Wed, 26 Oct 2016 06:11:12 +0000 (UTC) |
branch: master
commit 5614090725658439e7b4260c50a031c7355bab2a
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
* src/type1/t1load.c (parse_subrs): Fix limit check.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=81
---
ChangeLog | 8 ++++++++
src/type1/t1load.c | 2 +-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 5dd973e..1cd94bb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-10-26 Werner Lemberg <address@hidden>
+
+ * src/type1/t1load.c (parse_subrs): Fix limit check.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=81
+
2016-10-25 Alexei Podtelezhnikov <address@hidden>
[cff] Correct cmap format reporting (#24819).
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index aa25919..c573a46 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1433,7 +1433,7 @@
}
/* we certainly need more than 8 bytes per subroutine */
- if ( parser->root.limit > parser->root.cursor &&
+ if ( parser->root.limit >= parser->root.cursor &&
num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
{
/*
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 5614090: * src/type1/t1load.c (parse_subrs): Fix limit check.,
Werner LEMBERG <=