diff --git a/ChangeLog b/ChangeLog index 066136a5e..f4e30c679 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2015-10-08 Werner Lemberg + + [type42] Protect against invalid number of glyphs (#46159). + + * src/type42/t42parse.c (t42_parse_charstrings): Check number of + `CharStrings' dictionary entries against size of data stream. + 2015-10-08 Werner Lemberg [sfnt] Fix some signed overflows (#46149). diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 003b63ed7..a32d496af 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -795,6 +795,17 @@ error = FT_THROW( Invalid_File_Format ); goto Fail; } + + /* we certainly need more than 4 bytes per glyph */ + if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 ) + { + FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs" + " (from %d to %d)\n", + loader->num_glyphs, + ( limit - parser->root.cursor ) >> 2 )); + loader->num_glyphs = ( limit - parser->root.cursor ) >> 2; + } + } else if ( *parser->root.cursor == '<' ) {