From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001

From: Werner Lemberg <wl@gnu.org>

Date: Mon, 24 Nov 2014 06:30:05 +0000

Subject: [type1, type42] Another fix for Savannah bug #43655.

* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c

(t42_parse_charstrings): Add another boundary testing.

---

diff --git a/src/type1/t1load.c b/src/type1/t1load.c

index caa75bd..24b14a8 100644

--- a/src/type1/t1load.c

+++ b/src/type1/t1load.c

@@ -1589,6 +1589,11 @@

       }

       T1_Skip_PS_Token( parser );

+      if ( parser->root.cursor >= limit )

+      {

+        error = T1_Err_Invalid_File_Format;

+        goto Fail;

+      }

       if ( parser->root.error )

         return;

diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c

index daf304d..d45c069 100644

--- a/src/type42/t42parse.c

+++ b/src/type42/t42parse.c

@@ -823,6 +823,12 @@

         break;

       T1_Skip_PS_Token( parser );

+      if ( parser->root.cursor >= limit )

+      {

+        FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));

+        error = T42_Err_Invalid_File_Format;

+        goto Fail;

+      }

       if ( parser->root.error )

         return;

--

cgit v0.9.0.2