From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:52:23 +0000
Subject: Fix Savannah bug #43539.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index ffbbc32..922216e 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1589,6 +1589,11 @@
         goto Exit2;
       if ( FT_READ_LONG( rlen ) )
         goto Exit;
+      if ( rlen < 0 )
+      {
+        error = FT_Err_Invalid_Offset;
+        goto Exit2;
+      }
       if ( FT_READ_USHORT( flags ) )
         goto Exit;
       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
@@ -1606,7 +1611,14 @@
         rlen = 0;
 
       if ( ( flags >> 8 ) == type )
+      {
+        if ( 0x7FFFFFFFL - rlen < len )
+        {
+          error = FT_Err_Array_Too_Large;
+          goto Exit2;
+        }
         len += rlen;
+      }
       else
       {
         if ( pfb_lenpos + 3 > pfb_len + 2 )
@@ -1635,6 +1647,11 @@
       }
 
       error = FT_Err_Cannot_Open_Resource;
+      if ( rlen > 0x7FFFFFFFL - pfb_pos )
+      {
+        error = FT_Err_Array_Too_Large;
+        goto Exit2;
+      }
       if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
         goto Exit2;
 
--
cgit v0.9.0.2