From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 06 Nov 2014 21:32:46 +0000
Subject: Fix Savannah bug #43547.

* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
values.
---
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index f63377b..8db31bd 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -151,6 +151,21 @@ THE SOFTWARE.
         break;
     }
 
+    /* we now check whether the `size' and `offset' values are reasonable: */
+    /* `offset' + `size' must not exceed the stream size                   */
+    tables = face->toc.tables;
+    for ( n = 0; n < toc->count; n++ )
+    {
+      /* we need two checks to avoid overflow */
+      if ( ( tables->size   > stream->size                ) ||
+           ( tables->offset > stream->size - tables->size ) )
+      {
+        error = PCF_Err_Invalid_Table;
+        goto Exit;
+      }
+      tables++;
+    }
+
 #ifdef FT_DEBUG_LEVEL_TRACE
 
     {
--
cgit v0.9.0.2