diff --git a/ChangeLog b/ChangeLog index d5697dae4..66603c02a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2016-12-22 Werner Lemberg + + * src/base/ftrfork.c (FT_Raccess_Get_DataOffsets): Check `count'. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=308 + 2016-12-22 Werner Lemberg [cff] Protect against invalid `vsindex' and `blend' values. diff --git a/src/base/ftrfork.c b/src/base/ftrfork.c index b8b97a826..e656cd797 100644 --- a/src/base/ftrfork.c +++ b/src/base/ftrfork.c @@ -248,7 +248,9 @@ *count = subcnt + 1; rpos += map_offset; - if ( *count > 2727 ) + /* a zero count might be valid in the resource specification, */ + /* however, it is completely useless to us */ + if ( *count < 1 || *count > 2727 ) return FT_THROW( Invalid_Table ); error = FT_Stream_Seek( stream, (FT_ULong)rpos );