Initial fix for Savannah bug #30306.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
the length of fragment declared in the POST fragment header
and prevent an underflow in length calculation. Some fonts
set the length to zero in spite of the exist of following
16bit `type'. Reported by Robert Swiecki.

2 files changed, 20 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index de3c5079e..af91e0038 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
 2010-07-01  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
+	Initial fix for Savannah bug #30306.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
+	the length of fragment declared in the POST fragment header
+	and prevent an underflow in length calculation. Some fonts
+	set the length to zero in spite of the exist of following
+	16bit `type'. Reported by Robert Swiecki.
+
+2010-07-01  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
 	Additional fix for Savannah bug #30248 and #30249.
 
 	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 9217b8767..7c2662f6e 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1547,7 +1547,16 @@
         goto Exit;
       if ( FT_READ_USHORT( flags ) )
         goto Exit;
-      rlen -= 2;                    /* the flags are part of the resource */
+      FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+                   i, offsets[i], rlen, flags ));
+
+      /* the flags are part of the resource, so rlen >= 2.  */
+      /* but some fonts declare rlen = 0 for empty fragment */
+      if ( rlen > 2 )
+        rlen -= 2;
+      else
+        rlen = 0;
+
       if ( ( flags >> 8 ) == type )
         len += rlen;
       else