* src/cid/cidload.c (cid_face_open): Streamline SubrCount check.

author: Alexei Podtelezhnikov <apodtele@gmail.com> 2021-10-07 22:44:53 -0400
committer: Alexei Podtelezhnikov <apodtele@gmail.com> 2021-10-07 22:44:53 -0400
commit: 946df2216565925223a9e6af4d708906a6262a7d (patch)
tree: 031d53357892e434736cdf49eb00cf71a4d68d91
parent: 0313a11c4c2d1a6688facccffd18e0473dc6953e (diff)
download: freetype2-946df2216565925223a9e6af4d708906a6262a7d.tar.gz
1 files changed, 4 insertions, 5 deletions
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index ed5fb1ab5..75f3d4c8f 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -902,11 +902,10 @@
         goto Exit;
       }
 
-      /* `num_subrs' is scanned as a signed integer */
-      if ( (FT_Int)dict->num_subrs < 0                                     ||
-           ( dict->sd_bytes                                              &&
-             dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
-                                 dict->sd_bytes                          ) )
+      /* The first condition prevents the multiplication overflow */
+      if ( dict->num_subrs > UINT_MAX / 4         ||
+           dict->num_subrs * dict->sd_bytes >
+             binary_length - dict->subrmap_offset )
       {
         FT_ERROR(( "cid_face_open: Invalid `SubrCount' value\n" ));
         error = FT_THROW( Invalid_File_Format );
author	Alexei Podtelezhnikov <apodtele@gmail.com>	2021-10-07 22:44:53 -0400
committer	Alexei Podtelezhnikov <apodtele@gmail.com>	2021-10-07 22:44:53 -0400
commit	946df2216565925223a9e6af4d708906a6262a7d (patch)
tree	031d53357892e434736cdf49eb00cf71a4d68d91
parent	0313a11c4c2d1a6688facccffd18e0473dc6953e (diff)
download	freetype2-946df2216565925223a9e6af4d708906a6262a7d.tar.gz