[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master beecf80: [cff] Fix heap buffer overflow (#49858).
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master beecf80: [cff] Fix heap buffer overflow (#49858). |
|
Date: |
Fri, 16 Dec 2016 07:52:22 +0000 (UTC) |
branch: master
commit beecf80a6deecbaf5d264d4f864451bde4fe98b8
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[cff] Fix heap buffer overflow (#49858).
* src/cff/cffparse.c (cff_parser_run): Add one more stack size
check.
---
ChangeLog | 7 +++++++
src/cff/cffparse.c | 10 +++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 77899d4..1243bd4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-16 Werner Lemberg <address@hidden>
+
+ [cff] Fix heap buffer overflow (#49858).
+
+ * src/cff/cffparse.c (cff_parser_run): Add one more stack size
+ check.
+
2016-12-15 Werner Lemberg <address@hidden>
Fix clang warnings.
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index 022c289..9b5ad72 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -1422,13 +1422,17 @@
/* and look for it in our current list. */
FT_UInt code;
- FT_UInt num_args = (FT_UInt)
- ( parser->top - parser->stack );
+ FT_UInt num_args;
const CFF_Field_Handler* field;
+ if ( (FT_UInt)( parser->top - parser->stack ) >= parser->stackSize )
+ goto Stack_Overflow;
+
+ num_args = (FT_UInt)( parser->top - parser->stack );
*parser->top = p;
- code = v;
+ code = v;
+
if ( v == 12 )
{
/* two byte operator */
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master beecf80: [cff] Fix heap buffer overflow (#49858).,
Werner LEMBERG <=