From e3058617f384cb6709f3878f753fa17aca9e3a30 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 13 Sep 2015 08:41:43 +0200
Subject: [PATCH] [type1] Fix potential buffer overflow (#45923).

* src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
point to end of file buffer.
---
 ChangeLog           | 7 +++++++
 src/type1/t1parse.c | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 3618f2489..47cfcf3a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-09-13  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Fix potential buffer overflow (#45923).
+
+	* src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
+	point to end of file buffer.
+
 2015-09-13  Werner Lemberg  <wl@gnu.org>
 
 	[gzip] Fix access of small compressed files (#45937).
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index c73b2b25d..d8d4df205 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -389,6 +389,15 @@
 
       cur   = limit;
       limit = parser->base_dict + parser->base_len;
+
+      if ( cur >= limit )
+      {
+        FT_ERROR(( "T1_Get_Private_Dict:"
+                   " premature end in private dictionary\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Exit;
+      }
+
       goto Again;
 
       /* now determine where to write the _encrypted_ binary private  */