From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 15:20:48 +0000
Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional

overflow check in the summation of POST fragment lengths,
suggested by Mateusz Jurczyk <mjurczyk@google.com>.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4321126..b28216a 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1566,8 +1566,10 @@
       if ( FT_READ_ULONG( temp ) )
         goto Exit;
       FT_TRACE4(( "                 POST fragment #%d: length=0x%08x\n", i, temp));
-      if ( 0x7FFFFFFFUL < temp )
+      if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
       {
+        FT_TRACE2(( "             too long fragment length makes"
+                    " pfb_len confused: temp=0x%08x\n", temp ));
         error = FT_Err_Invalid_Offset;
         goto Exit;
       }
--
cgit v0.9.0.2