From 81f3472c0ba7b8f6466e2e214fa8c1c17fade975 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Fri, 6 Aug 2010 14:11:54 +0900
Subject: [PATCH] Fix Savannah bug #30658.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total
length of collected POST segments does not overrun the allocated
buffer.
---
 ChangeLog         | 8 ++++++++
 src/base/ftobjs.c | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 5b665e3db..73e558f48 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2010-08-06  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Fix Savannah bug #30658.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the total
+	length of collected POST segments does not overrun the allocated
+	buffer.
+
 2010-08-06  Yuriy Kaminskiy  <yumkam@mail.ru>
 
 	Fix conditional usage of FT_MulFix_i386.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 9dce576e1..13c126f6c 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1574,6 +1574,7 @@
       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
                    i, offsets[i], rlen, flags ));
 
+      /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
       if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
         continue;
 
@@ -1613,6 +1614,10 @@
         pfb_data[pfb_pos++] = 0;
       }
 
+      error = FT_Err_Cannot_Open_Resource;
+      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+        goto Exit2;
+
       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
       if ( error )
         goto Exit2;