From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:43:29 +0000
Subject: Fix Savannah bug #43538.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4d60e88..ffbbc32 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1565,10 +1565,23 @@
         goto Exit;
       if ( FT_READ_LONG( temp ) )
         goto Exit;
+      if ( 0 > temp )
+        error = FT_Err_Invalid_Offset;
+      else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+        error = FT_Err_Array_Too_Large;
+
+      if ( error )
+        goto Exit;
+
       pfb_len += temp + 6;
     }
 
-    if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+    if ( 0x7FFFFFFFL - 2 < pfb_len )
+      error = FT_Err_Array_Too_Large;
+    else
+      error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+
+    if ( error )
       goto Exit;
 
     pfb_data[0] = 0x80;
--
cgit v0.9.0.2