[base] Reject invalid sfnt Mac resource (#47891).

* src/base/ftobjs.c (open_face_PS_from_sfnt_stream): Check validity of `CID ' and `TYPE1' table offset and length.
9 years ago · bebac3cf5b
parent 09f0e0fcbe
commit bebac3cf5b
2 changed files with 23 additions and 1 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2016-05-16  Werner Lemberg  <wl@gnu.org>
+
+	[base] Reject invalid sfnt Mac resource (#47891).
+
+	* src/base/ftobjs.c (open_face_PS_from_sfnt_stream): Check validity
+	of `CID ' and `TYPE1' table offset and length.
+
 2016-05-16  Werner Lemberg  <wl@gnu.org>

 	[cid] Fix scanning for `StartData' and `/sfnts' (#47892).
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@ -1483,6 +1483,7 @@
      if ( face_index >= 0 && pstable_index == face_index )
        return FT_Err_Ok;
    }
+
    return FT_THROW( Table_Missing );
  }

@ -1520,6 +1521,19 @@
    if ( error )
      goto Exit;

+    if ( offset > stream->size )
+    {
+      FT_TRACE2(( "open_face_PS_from_sfnt_stream: invalid table offset\n" ));
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+    else if ( length > stream->size - offset )
+    {
+      FT_TRACE2(( "open_face_PS_from_sfnt_stream: invalid table length\n" ));
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+
    error = FT_Stream_Seek( stream, pos + offset );
    if ( error )
      goto Exit;
@ -1528,7 +1542,8 @@
      goto Exit;

    error = FT_Stream_Read( stream, (FT_Byte *)sfnt_ps, length );
-    if ( error ) {
+    if ( error )
+    {
      FT_FREE( sfnt_ps );
      goto Exit;
    }