[sfnt] Fix Savannah bug #43680.

This adds an additional constraint to make the fix from 2013-01-25 really work. * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: Check `p' before `num_glyphs'.
10 years ago · f0292bb992
parent eca0f06706
commit f0292bb992
2 changed files with 12 additions and 1 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2014-11-24  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix Savannah bug #43680.
+
+	This adds an additional constraint to make the fix from 2013-01-25
+	really work.
+
+	* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
+	Check `p' before `num_glyphs'.
+
 2014-11-24  Werner Lemberg  <wl@gnu.org>

 	[truetype] Fix Savannah bug #43679.
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@ -1170,7 +1170,8 @@
        num_glyphs = FT_NEXT_ULONG( p );

        /* overflow check for p + ( num_glyphs + 1 ) * 4 */
-        if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+        if ( p + 4 > p_limit                                         ||
+             num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
          goto NoBitmap;

        for ( mm = 0; mm < num_glyphs; mm++ )