* src/type1/t1load.c (parse_subrs, parse_charstrings): Protect

against too small binary data strings.

* src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better.
This commit is contained in:
Werner Lemberg 2007-05-30 13:57:02 +00:00
parent 99e0c18ea1
commit ba03af6f91
3 changed files with 27 additions and 2 deletions

@ -1,3 +1,10 @@
2007-05-30 Werner Lemberg <wl@gnu.org>
* src/type1/t1load.c (parse_subrs, parse_charstrings): Protect
against too small binary data strings.
* src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better.
2007-05-28 David Turner <david@freetype.org>
* src/cff/cffgload.c (cff_slot_load): Do not apply the identity

@ -1537,6 +1537,12 @@
s = _bdf_list_join( &p->list, ' ', &slen );
if ( !s )
{
error = BDF_Err_Invalid_File_Format;
goto Exit;
}
if ( FT_NEW_ARRAY( p->glyph_name, slen + 1 ) )
goto Exit;

@ -1379,6 +1379,12 @@
FT_Byte* temp;
if ( size <= face->type1.private_dict.lenIV )
{
error = T1_Err_Invalid_File_Format;
goto Fail;
}
/* t1_decrypt() shouldn't write to base -- make temporary copy */
if ( FT_ALLOC( temp, size ) )
goto Fail;
@ -1548,12 +1554,18 @@
notdef_found = 1;
}
if ( face->type1.private_dict.lenIV >= 0 &&
n < num_glyphs + TABLE_EXTEND )
if ( face->type1.private_dict.lenIV >= 0 &&
n < num_glyphs + TABLE_EXTEND )
{
FT_Byte* temp;
if ( size <= face->type1.private_dict.lenIV )
{
error = T1_Err_Invalid_File_Format;
goto Fail;
}
/* t1_decrypt() shouldn't write to base -- make temporary copy */
if ( FT_ALLOC( temp, size ) )
goto Fail;