From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 6 Nov 2014 22:32:46 +0100
Subject: [PATCH] Fix Savannah bug #43547.

* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
values.
---
 ChangeLog         |  7 +++++++
 src/pcf/pcfread.c | 15 +++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index fe1604896..9b56e9136 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-11-06  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #43547.
+
+	* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+	values.
+
 2014-11-06  Werner Lemberg  <wl@gnu.org>
 
 	* src/pcf/pcfread.c (pcf_read_TOC): Avoid memory leak.
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index f63377b08..8db31bda0 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -154,6 +154,21 @@ THE SOFTWARE.
         break;
     }
 
+    /* we now check whether the `size' and `offset' values are reasonable: */
+    /* `offset' + `size' must not exceed the stream size                   */
+    tables = face->toc.tables;
+    for ( n = 0; n < toc->count; n++ )
+    {
+      /* we need two checks to avoid overflow */
+      if ( ( tables->size   > stream->size                ) ||
+           ( tables->offset > stream->size - tables->size ) )
+      {
+        error = FT_THROW( Invalid_Table );
+        goto Exit;
+      }
+      tables++;
+    }
+
 #ifdef FT_DEBUG_LEVEL_TRACE
 
     {