From 2439c515a79fe05ebc9d1a91d94b21ff716524a7 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Fri, 25 Sep 2015 16:54:28 +0200 Subject: [PATCH] [type1] Protect against invalid number of glyphs (#46029). * src/type1/t1load.c (parse_charstrings): Check number of `CharStrings' dictionary entries against size of data stream. --- ChangeLog | 7 +++++++ src/type1/t1load.c | 11 ++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1cc65bace..e54092d82 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2015-09-25 Werner Lemberg + + [type1] Protect against invalid number of glyphs (#46029). + + * src/type1/t1load.c (parse_charstrings): Check number of + `CharStrings' dictionary entries against size of data stream. + 2015-09-23 Werner Lemberg [sfnt] Better checks for invalid cmaps (2/2) (#46019). diff --git a/src/type1/t1load.c b/src/type1/t1load.c index 479cb7a00..dbf4eafd7 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1541,7 +1541,7 @@ PSAux_Service psaux = (PSAux_Service)face->psaux; - FT_Byte* cur; + FT_Byte* cur = parser->root.cursor; FT_Byte* limit = parser->root.limit; FT_Int n, num_glyphs; FT_Int notdef_index = 0; @@ -1555,6 +1555,15 @@ goto Fail; } + /* we certainly need more than 8 bytes per glyph */ + if ( num_glyphs > ( limit - cur ) >> 3 ) + { + FT_TRACE0(( "parse_charstrings: adjusting number of glyphs" + " (from %d to %d)\n", + num_glyphs, ( limit - cur ) >> 3 )); + num_glyphs = ( limit - cur ) >> 3; + } + /* some fonts like Optima-Oblique not only define the /CharStrings */ /* array but access it also */ if ( num_glyphs == 0 || parser->root.error )