[type42] Protect against invalid number of glyphs (#46159).

* src/type42/t42parse.c (t42_parse_charstrings): Check number of `CharStrings' dictionary entries against size of data stream.
9 years ago · 06c2d3324e
parent 983b00ec86
commit 06c2d3324e
2 changed files with 18 additions and 0 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2015-10-08  Werner Lemberg  <wl@gnu.org>
+
+	[type42] Protect against invalid number of glyphs (#46159).
+
+	* src/type42/t42parse.c (t42_parse_charstrings): Check number of
+	`CharStrings' dictionary entries against size of data stream.
+
 2015-10-08  Werner Lemberg  <wl@gnu.org>

 	[sfnt] Fix some signed overflows (#46149).
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@ -795,6 +795,17 @@
        error = FT_THROW( Invalid_File_Format );
        goto Fail;
      }
+
+      /* we certainly need more than 4 bytes per glyph */
+      if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 )
+      {
+        FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs"
+                    " (from %d to %d)\n",
+                    loader->num_glyphs,
+                    ( limit - parser->root.cursor ) >> 2 ));
+        loader->num_glyphs = ( limit - parser->root.cursor ) >> 2;
+      }
+
    }
    else if ( *parser->root.cursor == '<' )
    {