[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 87fefc5: [type42] Fix heap buffer overflow (#46269).
From: |
Werner LEMBERG |
Subject: |
[freetype2] master 87fefc5: [type42] Fix heap buffer overflow (#46269). |
Date: |
Wed, 21 Oct 2015 18:30:16 +0000 |
branch: master
commit 87fefc594eeea8064766b397c93d685e261e2989
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[type42] Fix heap buffer overflow (#46269).
* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
bounds checking.
---
ChangeLog | 7 +++++++
src/type42/t42parse.c | 2 +-
2 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 5d25e0f..e4ebfdb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-21 Werner Lemberg <address@hidden>
+
+ [type42] Fix heap buffer overflow (#46269).
+
+ * src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
+ bounds checking.
+
2015-10-21 Dave Arnold <address@hidden>
[cff] Fix limit in assert for max hints.
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 3bcf97e..5e352a2 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -640,7 +640,7 @@
string_buf = parser->root.cursor + 1; /* one space after `RD' */
- if ( (FT_ULong)( limit - parser->root.cursor ) < string_size )
+ if ( (FT_ULong)( limit - parser->root.cursor ) <= string_size )
{
FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 87fefc5: [type42] Fix heap buffer overflow (#46269).,
Werner LEMBERG <=