From 812ed3418969a013fce68c3884f7f8fc23c6b4bf Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 11 Dec 2014 14:07:29 +0100
Subject: [PATCH] * src/type42/t42parse.c (t42_parse_sfnts): Reject invalid TTF
 size.

---
 ChangeLog             | 4 ++++
 src/type42/t42parse.c | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index bbc0422c0..67b9e5a2c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-12-11  Werner Lemberg  <wl@gnu.org>
+
+	* src/type42/t42parse.c (t42_parse_sfnts): Reject invalid TTF size.
+
 2014-12-11  Werner Lemberg  <wl@gnu.org>
 
 	* src/base/ftobjs.c (FT_Get_Glyph_Name): Fix off-by-one check.
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index bdecba914..50708537d 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -667,6 +667,13 @@
             status         = BEFORE_TABLE_DIR;
             face->ttf_size = 12 + 16 * num_tables;
 
+            if ( (FT_ULong)( limit - parser->root.cursor ) < face->ttf_size )
+            {
+              FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" ));
+              error = FT_THROW( Invalid_File_Format );
+              goto Fail;
+            }
+
             if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
               goto Fail;
           }