From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 24 Nov 2014 10:22:08 +0100 Subject: [PATCH] [truetype] Fix Savannah bug #43679. * src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of `record_size'. --- ChangeLog | 7 +++++++ src/truetype/ttpload.c | 12 +++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 76ca6752a..f53d56b96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2014-11-24 Werner Lemberg + + [truetype] Fix Savannah bug #43679. + + * src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of + `record_size'. + 2014-11-24 Jarkko Pöyry [cff, pfr, psaux, winfonts] Fix Savannah bug #43676. diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index 9723a515b..999192542 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -508,9 +508,9 @@ record_size = FT_NEXT_ULONG( p ); /* The maximum number of bytes in an hdmx device record is the */ - /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ - /* the reason why `record_size' is a long (which we read as */ - /* unsigned long for convenience). In practice, two bytes */ + /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ + /* explaining why `record_size' is a long (which we read as */ + /* unsigned long for convenience). In practice, two bytes are */ /* sufficient to hold the size value. */ /* */ /* There are at least two fonts, HANNOM-A and HANNOM-B version */ @@ -522,8 +522,10 @@ record_size &= 0xFFFFU; /* The limit for `num_records' is a heuristic value. */ - - if ( version != 0 || num_records > 255 || record_size > 0x10001L ) + if ( version != 0 || + num_records > 255 || + record_size > 0x10001L || + record_size < 4 ) { error = FT_THROW( Invalid_File_Format ); goto Fail;