From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001

From: Werner Lemberg <wl@gnu.org>

Date: Wed, 12 Nov 2014 20:26:44 +0000

Subject: [sfnt] Fix Savannah bug #43590.

* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):

Protect against addition overflow.

---

diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c

index 0a3cd29..8338150 100644

--- a/src/sfnt/ttload.c

+++ b/src/sfnt/ttload.c

@@ -5,7 +5,7 @@

 /*    Load the basic TrueType tables, i.e., tables that can be either in   */

 /*    TTF or OTF fonts (body).                                             */

 /*                                                                         */

-/*  Copyright 1996-2010, 2012 by                                           */

+/*  Copyright 1996-2010, 2012-2014 by                                      */

 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */

 /*                                                                         */

 /*  This file is part of the FreeType project, and may only be used,       */

@@ -207,7 +207,10 @@

       }

       /* we ignore invalid tables */

-      if ( table.Offset + table.Length > stream->size )

+

+      /* table.Offset + table.Length > stream->size ? */

+      if ( table.Length > stream->size                ||

+           table.Offset > stream->size - table.Length )

       {

         FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));

         continue;

@@ -398,7 +398,10 @@

       entry->Length   = FT_GET_LONG();

       /* ignore invalid tables */

-      if ( entry->Offset + entry->Length > stream->size )

+

+      /* entry->Offset + entry->Length > stream->size ? */

+      if ( entry->Length > stream->size                 ||

+           entry->Offset > stream->size - entry->Length )

         continue;

       else

       {

--

cgit v0.9.0.2