diff --git a/ChangeLog b/ChangeLog index b042fc9da..4235ffb36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2010-08-05 Werner Lemberg + + Fix Savannah bug #30656. + + * src/type42/t42parse.c (t42_parse_sfnts): Protect against negative + string_size. + Fix comparison. + 2010-08-05 suzuki toshiya [cff] Don't use any values in decoder after parsing error. diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 4dc7203be..577426917 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -4,7 +4,7 @@ /* */ /* Type 42 font parser (body). */ /* */ -/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ /* Roberto Alameda. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -577,6 +577,12 @@ } string_size = T1_ToInt( parser ); + if ( string_size < 0 ) + { + FT_ERROR(( "t42_parse_sfnts: invalid string size\n" )); + error = T42_Err_Invalid_File_Format; + goto Fail; + } T1_Skip_PS_Token( parser ); /* `RD' */ if ( parser->root.error ) @@ -584,13 +590,14 @@ string_buf = parser->root.cursor + 1; /* one space after `RD' */ - parser->root.cursor += string_size + 1; - if ( parser->root.cursor >= limit ) + if ( limit - parser->root.cursor < string_size ) { FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); error = T42_Err_Invalid_File_Format; goto Fail; } + else + parser->root.cursor += string_size + 1; } if ( !string_buf )