truetype: Check invalid function number in FDEF instruction.

2 files changed, 17 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 8eb8bb109..29d954c7c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2009-07-03  suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
 
+	truetype: Check invalid function number in FDEF instruction.
+
+	* src/truetype/ttinterp.c (Ins_FDEF): Check
+	if the operand fits 16-bit function number.
+
+2009-07-03  suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
 	truetype: Truncate the deltas of composite glyph at 16-bit values.
 
 	* src/truetype/ttgload.c (load_truetype_glyph):
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index e6a0700a4..816d1dad4 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4290,13 +4290,21 @@
       CUR.numFDefs++;
     }
 
+    /* Although FDEF takes unsigned 32-bit integer,  */
+    /* func # must be within unsigned 16-bit integer */
+    if ( n > 0xFFFFU )
+    {
+      CUR.error = TT_Err_Too_Many_Function_Defs;
+      return;
+    }
+
     rec->range  = CUR.curRange;
-    rec->opc    = n;
+    rec->opc    = (FT_UInt16)n;
     rec->start  = CUR.IP + 1;
     rec->active = TRUE;
 
     if ( n > CUR.maxFunc )
-      CUR.maxFunc = n;
+      CUR.maxFunc = (FT_UInt16)n;
 
     /* Now skip the whole function definition. */
     /* We don't allow nested IDEFS & FDEFs.    */