[cff] Emit better error code for invalid private dict size.

* src/cff/cffparse.c (cff_parse_private_dict): Reject negative values for size and offset.
10 years ago · 93a884c6cd
parent b57bb11ad0
commit 93a884c6cd
2 changed files with 29 additions and 2 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2015-02-19  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Emit better error code for invalid private dict size.
+
+	* src/cff/cffparse.c (cff_parse_private_dict): Reject negative
+	values for size and offset.
+
 2015-02-19  Werner Lemberg  <wl@gnu.org>

 	[autofit] Fix signedness issues.
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@ -617,14 +617,34 @@

    if ( parser->top >= parser->stack + 2 )
    {
-      dict->private_size   = cff_parse_num( data++ );
-      dict->private_offset = cff_parse_num( data   );
+      FT_Long  tmp;
+
+
+      tmp = cff_parse_num( data++ );
+      if ( tmp < 0 )
+      {
+        FT_ERROR(( "cff_parse_private_dict: Invalid dictionary size\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
+      dict->private_size = (FT_ULong)tmp;
+
+      tmp = cff_parse_num( data );
+      if ( tmp < 0 )
+      {
+        FT_ERROR(( "cff_parse_private_dict: Invalid dictionary offset\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
+      dict->private_offset = (FT_ULong)tmp;
+
      FT_TRACE4(( " %lu %lu\n",
                  dict->private_size, dict->private_offset ));

      error = FT_Err_Ok;
    }

+  Fail:
    return error;
  }