|
 |
43e195 |
From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
|
|
|
43e195 |
From: Werner Lemberg <wl@gnu.org>
|
|
|
43e195 |
Date: Mon, 24 Nov 2014 09:22:08 +0000
|
|
|
43e195 |
Subject: [truetype] Fix Savannah bug #43679.
|
|
|
43e195 |
|
|
|
43e195 |
* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
|
|
|
43e195 |
`record_size'.
|
|
|
43e195 |
---
|
|
|
43e195 |
diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
|
|
|
43e195 |
index 9723a51..9991925 100644
|
|
|
43e195 |
--- a/src/truetype/ttpload.c
|
|
|
43e195 |
+++ b/src/truetype/ttpload.c
|
|
|
43e195 |
@@ -508,9 +508,9 @@
|
|
|
43e195 |
record_size = FT_NEXT_ULONG( p );
|
|
|
43e195 |
|
|
|
43e195 |
/* The maximum number of bytes in an hdmx device record is the */
|
|
|
43e195 |
- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
|
|
|
43e195 |
- /* the reason why `record_size' is a long (which we read as */
|
|
|
43e195 |
- /* unsigned long for convenience). In practice, two bytes */
|
|
|
43e195 |
+ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
|
|
|
43e195 |
+ /* explaining why `record_size' is a long (which we read as */
|
|
|
43e195 |
+ /* unsigned long for convenience). In practice, two bytes are */
|
|
|
43e195 |
/* sufficient to hold the size value. */
|
|
|
43e195 |
/* */
|
|
|
43e195 |
/* There are at least two fonts, HANNOM-A and HANNOM-B version */
|
|
|
43e195 |
@@ -522,8 +522,10 @@
|
|
|
43e195 |
record_size &= 0xFFFFU;
|
|
|
43e195 |
|
|
|
43e195 |
/* The limit for `num_records' is a heuristic value. */
|
|
|
43e195 |
-
|
|
|
43e195 |
- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
|
|
|
43e195 |
+ if ( version != 0 ||
|
|
|
43e195 |
+ num_records > 255 ||
|
|
|
43e195 |
+ record_size > 0x10001L ||
|
|
|
43e195 |
+ record_size < 4 )
|
|
|
43e195 |
{
|
|
|
43e195 |
error = TT_Err_Invalid_File_Format;
|
|
|
43e195 |
goto Fail;
|
|
|
43e195 |
--
|
|
|
43e195 |
cgit v0.9.0.2
|