freetype-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 1211224: [type1] Protect against invalid number of su


From: Werner LEMBERG
Subject: [freetype2] master 1211224: [type1] Protect against invalid number of subroutines (#46150).
Date: Thu, 08 Oct 2015 09:33:35 +0000

branch: master
commit 121122416d36126d3ce46287e9617690722b83e9
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [type1] Protect against invalid number of subroutines (#46150).
    
    * src/type1/t1load.c (parse_subrs): Check number of
    `Subrs' dictionary entries against size of data stream.
---
 ChangeLog          |    7 +++++++
 src/type1/t1load.c |   15 +++++++++++++++
 2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5286ee8..8fb955e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-08  Werner Lemberg  <address@hidden>
+
+       [type1] Protect against invalid number of subroutines (#46150).
+
+       * src/type1/t1load.c (parse_subrs): Check number of
+       `Subrs' dictionary entries against size of data stream.
+
 2015-10-07  Kostya Serebryany  <address@hidden>
 
        [ftfuzzer] Add support for LLVM's LibFuzzer.
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index dbf4eaf..01fb60f 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1420,6 +1420,21 @@
     }
 
     num_subrs = (FT_Int)T1_ToInt( parser );
+    if ( num_subrs < 0 )
+    {
+      parser->root.error = FT_THROW( Invalid_File_Format );
+      return;
+    }
+
+    /* we certainly need more than 8 bytes per subroutine */
+    if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+    {
+      FT_TRACE0(( "parse_subrs: adjusting number of subroutines"
+                  " (from %d to %d)\n",
+                  num_subrs,
+                  ( parser->root.limit - parser->root.cursor ) >> 3 ));
+      num_subrs = ( parser->root.limit - parser->root.cursor ) >> 3;
+    }
 
     /* position the parser right before the `dup' of the first subr */
     T1_Skip_PS_Token( parser );         /* `array' */



reply via email to

[Prev in Thread] Current Thread [Next in Thread]