diff --git a/ChangeLog b/ChangeLog index fb0d6b255..f23507aa0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,16 @@ -2014-02-26 Wermer Lemberg +2014-02-26 Werner Lemberg + + [winfnt] Fix Savannah bug #41694. + + * src/winfonts/winfnt.c (FNT_Load_Glyph): Check glyph offset. + +2014-02-26 Werner Lemberg [cff] Fix Savannah bug #41693. * src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array. -2014-02-26 Wermer Lemberg +2014-02-26 Werner Lemberg [bdf] Fix Savannah bug #41692. diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c index fd6fc557f..e9c1a9b5f 100644 --- a/src/winfonts/winfnt.c +++ b/src/winfonts/winfnt.c @@ -4,7 +4,7 @@ /* */ /* FreeType font driver for Windows FNT/FON files */ /* */ -/* Copyright 1996-2004, 2006-2013 by */ +/* Copyright 1996-2004, 2006-2014 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* Copyright 2003 Huw D M Davies for Codeweavers */ /* Copyright 2007 Dmitry Timoshkov for Codeweavers */ @@ -977,7 +977,7 @@ font = face->font; - if ( !font || + if ( !font || glyph_index >= (FT_UInt)( FT_FACE( face )->num_glyphs ) ) { error = FT_THROW( Invalid_Argument ); @@ -989,16 +989,26 @@ if ( glyph_index > 0 ) glyph_index--; /* revert to real index */ else - glyph_index = font->header.default_char; /* the .notdef glyph */ + glyph_index = font->header.default_char; /* the `.notdef' glyph */ new_format = FT_BOOL( font->header.version == 0x300 ); len = new_format ? 6 : 4; - /* jump to glyph entry */ - p = font->fnt_frame + ( new_format ? 148 : 118 ) + len * glyph_index; + /* get glyph width and offset */ + offset = ( new_format ? 148 : 118 ) + len * glyph_index; + + if ( offset >= font->header.file_size - 2 - ( new_format ? 4 : 2 ) ) + { + FT_TRACE2(( "invalid FNT offset\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Exit; + } + + p = font->fnt_frame + offset; bitmap->width = FT_NEXT_SHORT_LE( p ); + /* jump to glyph entry */ if ( new_format ) offset = FT_NEXT_ULONG_LE( p ); else