[truetype] Prevent address overflow (#51365).

* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
author: Werner Lemberg <wl@gnu.org> 2017-07-04 08:08:54 +0200
committer: Werner Lemberg <wl@gnu.org> 2017-07-04 08:08:54 +0200
commit: 1c85479d2d1de54a4b592ffbef0ae24f498053d2 (patch)
tree: 9c070e0ee4186c18283da1764795cff6609693b1
parent: c56d8851ea987023cc73981a70d261b3f6427545 (diff)
download: freetype2-1c85479d2d1de54a4b592ffbef0ae24f498053d2.tar.gz
2 files changed, 10 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 8b2d72275..f1ca0f516 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-07-04  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Prevent address overflow (#51365).
+
+	* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
+
 2017-07-03  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/base/ftlcdfil.c (ft_lcd_filter_fir): Improve code.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index f2049796d..9125afd10 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -60,8 +60,10 @@
 
 #define FT_Stream_FTell( stream )                         \
           (FT_ULong)( (stream)->cursor - (stream)->base )
-#define FT_Stream_SeekSet( stream, off )                  \
-          ( (stream)->cursor = (stream)->base + (off) )
+#define FT_Stream_SeekSet( stream, off )                                  \
+          (stream)->cursor = ( (off) < (stream)->limit - (stream)->base ) \
+                               ? (stream)->base + (off)                   \
+                               : (stream)->limit
 
 
   /*************************************************************************/
author	Werner Lemberg <wl@gnu.org>	2017-07-04 08:08:54 +0200
committer	Werner Lemberg <wl@gnu.org>	2017-07-04 08:08:54 +0200
commit	1c85479d2d1de54a4b592ffbef0ae24f498053d2 (patch)
tree	9c070e0ee4186c18283da1764795cff6609693b1
parent	c56d8851ea987023cc73981a70d261b3f6427545 (diff)
download	freetype2-1c85479d2d1de54a4b592ffbef0ae24f498053d2.tar.gz