[type42] Protect against invalid number of glyphs (#46159).

* src/type42/t42parse.c (t42_parse_charstrings): Check number of
`CharStrings' dictionary entries against size of data stream.
This commit is contained in:
Werner Lemberg 2015-10-08 21:31:57 +02:00
parent 983b00ec86
commit 06c2d3324e
2 changed files with 18 additions and 0 deletions

@ -1,3 +1,10 @@
2015-10-08 Werner Lemberg <wl@gnu.org>
[type42] Protect against invalid number of glyphs (#46159).
* src/type42/t42parse.c (t42_parse_charstrings): Check number of
`CharStrings' dictionary entries against size of data stream.
2015-10-08 Werner Lemberg <wl@gnu.org>
[sfnt] Fix some signed overflows (#46149).

@ -795,6 +795,17 @@
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
/* we certainly need more than 4 bytes per glyph */
if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 )
{
FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs"
" (from %d to %d)\n",
loader->num_glyphs,
( limit - parser->root.cursor ) >> 2 ));
loader->num_glyphs = ( limit - parser->root.cursor ) >> 2;
}
}
else if ( *parser->root.cursor == '<' )
{