[cff] Truncate the element length at the end of the stream.

See Savannah bug #30975. * src/cff/cffload.c (cff_index_access_element): `off2', the offset to the next element is truncated at the end of the stream to prevent invalid I/O. As `off1', the offset to the requested element has been checked by FT_STREAM_SEEK(), `off2' should be checked similarly.
15 years ago · 73aa20ca1d
parent d2d843a01c
commit 73aa20ca1d
2 changed files with 22 additions and 0 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+ 
+	[cff] Truncate the element length at the end of the stream.
+	See Savannah bug #30975.
+ 
+	* src/cff/cffload.c (cff_index_access_element): `off2', the
+ 	offset to the next element is truncated at the end of the
+	stream to prevent invalid I/O.  As `off1', the offset to the
+	requested element has been checked by FT_STREAM_SEEK(),
+	`off2' should be checked similarly.
+
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>

 	[cff] Ignore CID > 0xFFFFU.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@ -519,6 +519,17 @@
        }
      }

+      /* XXX: should check off2 does not exceed the end of this entry   */
+      /*      at present, only truncate off 2 at the end of this stream */
+      if ( idx->data_offset + off2 - 1 > stream->size )
+      {
+        FT_ERROR(( "cff_index_access_element:"
+                   " offset to next entry (%d)"
+                   " exceeds the end of stream (%d)\n",
+                   off2, stream->size - idx->data_offset + 1 ));
+        off2 = stream->size - idx->data_offset + 1;
+      }
+
      /* access element */
      if ( off1 && off2 > off1 )
      {