[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 1211224: [type1] Protect against invalid number of su
From: |
Werner LEMBERG |
Subject: |
[freetype2] master 1211224: [type1] Protect against invalid number of subroutines (#46150). |
Date: |
Thu, 08 Oct 2015 09:33:35 +0000 |
branch: master
commit 121122416d36126d3ce46287e9617690722b83e9
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[type1] Protect against invalid number of subroutines (#46150).
* src/type1/t1load.c (parse_subrs): Check number of
`Subrs' dictionary entries against size of data stream.
---
ChangeLog | 7 +++++++
src/type1/t1load.c | 15 +++++++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 5286ee8..8fb955e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-08 Werner Lemberg <address@hidden>
+
+ [type1] Protect against invalid number of subroutines (#46150).
+
+ * src/type1/t1load.c (parse_subrs): Check number of
+ `Subrs' dictionary entries against size of data stream.
+
2015-10-07 Kostya Serebryany <address@hidden>
[ftfuzzer] Add support for LLVM's LibFuzzer.
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index dbf4eaf..01fb60f 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1420,6 +1420,21 @@
}
num_subrs = (FT_Int)T1_ToInt( parser );
+ if ( num_subrs < 0 )
+ {
+ parser->root.error = FT_THROW( Invalid_File_Format );
+ return;
+ }
+
+ /* we certainly need more than 8 bytes per subroutine */
+ if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+ {
+ FT_TRACE0(( "parse_subrs: adjusting number of subroutines"
+ " (from %d to %d)\n",
+ num_subrs,
+ ( parser->root.limit - parser->root.cursor ) >> 3 ));
+ num_subrs = ( parser->root.limit - parser->root.cursor ) >> 3;
+ }
/* position the parser right before the `dup' of the first subr */
T1_Skip_PS_Token( parser ); /* `array' */
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 1211224: [type1] Protect against invalid number of subroutines (#46150).,
Werner LEMBERG <=